FastCGI Integer Overflow Flaw Lets Attackers Execute Code on Embedded Devices

Main Takeaways

• Vulnerability CVE-2025-23016 affects FastCGI versions 2.x through 2.4.4.
• The flaw is in the ReadParams function: crafted nameLen and valueLen values overflow integer arithmetic on 32-bit systems, causing undersized memory allocations and buffer overflow.
• Exploits allow overwriting function pointers in FastCGI’s internal structures (e.g. fillBuffProc), enabling attackers to hijack execution flow.
• Patches (FastCGI 2.4.5 and later) are available; devices using TCP sockets for FastCGI or exposed IPC endpoints are especially at risk.

Details of the Vulnerability

• The flaw hinges on the way the FastCGI library reads and computes memory allocation sizes for HTTP parameters in ReadParams. When both nameLen and valueLen are set to maximum 32-bit values (e.g. 0x7FFFFFFF), adding them (plus a small constant) causes an integer wraparound on 32-bit platforms.
• This results in allocating a buffer much smaller than required, then writing the actual parameter data into it, which overflows into adjacent heap memory.
• Attackers can manipulate FastCGI’s FCGX_Stream structure in memory, replacing the fillBuffProc function pointer with a command execution function (like system) and planting a shell command in the input stream. Later, when fillBuffProc is called, the injected code is executed.
• Because many embedded devices (cameras, IoT appliances) use 32-bit systems and minimal exploit defenses (no ASLR, weak memory protections), they are especially vulnerable.
• Note: This vulnerability does not affect PHP-FPM, which uses its own FastCGI protocol implementation.

Impact

• Affected versions: FastCGI (fcgi2) up to 2.4.4
• High-risk targets: Embedded devices (IoT, smart cameras, appliances) using 32-bit architecture
• Attack vector: Access to the FastCGI IPC socket (locally or via network, e.g. via SSRF or web server misconfiguration)
• Exploit conditions: Ability to send crafted parameter data, 32-bit environment, exposed FastCGI endpoint
• Result: Arbitrary code execution, takeover of the device

Mitigation & Recommended Actions

• Upgrade: Move to FastCGI version 2.4.5 or later, which includes bounds checking to prevent integer overflow.
• Socket configuration: Use UNIX domain sockets rather than TCP sockets for FastCGI communication, reducing exposure.
• Access restriction: Ensure the FastCGI socket is not exposed to untrusted networks or remote access.
• Network segmentation: Place vulnerable embedded devices behind firewalls or segmentation so attackers cannot reach their FastCGI interfaces.
• Patch deployment: Prioritize patching embedded systems, especially in environments where they cannot be replaced frequently.
• Monitor & audit: Look for anomalous FastCGI traffic or suspicious parameter sizes; track unexpected process behavior on embedded nodes.