FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library. The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.
o Make the PRINT method return a boolean value rather than the number of bytes written, previous patch was incorrect.
Changes for version 0.68_01
o Force signal handler installation so that we correctly install handlers for SIGPIPE. Fixes RT#5100 <bobtfish@bobtfish.net> o Make the PRINT method return the number of bytes written rather than undef to be consistent with the IO:: interface. Fixes RT#24347 <David Dick> o Fix UTF-8 double encoding when FCGI is passed octets by downgrading them into bytes correctly. Fixes RT#52400 <chansen@cpan.org>