CVE-2025-23016 CRITICAL

CVE-2025-23016

Vendor Fastcgi
Product fcgi
Weakness CWE-190
Published January 10, 2025
Last update February 26, 2026

CVSS base score

9.3/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.

Key dates

02Disclosure timeline

January 10, 2025 CVE published
February 26, 2026 Record updated