CVE-2025-40907: 
Linux Debian vulnerability analysis and mitigation

FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library. The vulnerability was discovered in early 2025 and affects the FastCGI library's parameter processing functionality. The issue involves an integer overflow that can lead to a heap-based buffer overflow via crafted nameLen or valueLen values in data sent to the IPC socket (NVD, Synacktiv).

The vulnerability occurs in the ReadParams function in fcgiapp.c where improper validation of input data can lead to an integer overflow. When nameLen and valueLen equal 0x7fffffff, the +2 added during malloc will overflow the sizemax of a size_t in 32-bit architectures. This results in allocating a smaller buffer than required, leading to a heap-based buffer overflow when writing data. The vulnerability is particularly concerning on embedded equipment with limited system protections (Synacktiv, Github Issue).

The vulnerability could potentially lead to remote code execution, particularly in embedded systems where FastCGI is commonly used and system protections are limited. The impact is heightened when the FastCGI socket is exposed, which could allow attackers to exploit the vulnerability remotely (Synacktiv).

The vulnerability has been fixed in FastCGI version 2.4.5. Users are advised to upgrade to this version or later. Additionally, it is recommended to limit potential remote access to the FastCGI socket by declaring it as a UNIX socket rather than exposing it directly (Github Release, Synacktiv).