CVE-2025-40914
BaseFortify
Publication date: 2025-06-11
Last updated on: 2025-06-12
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-40914 is an integer overflow vulnerability in the mp_grow function of the libtommath library, which is embedded in Perl CryptX before version 0.087. The issue arises because the function could receive a negative size argument, leading to an integer overflow. This overflow can cause memory corruption or unexpected behavior, potentially allowing attackers to execute arbitrary code or cause a denial of service (DoS). The vulnerability was fixed by adding input validation to reject negative size inputs. [1, 2]
How can this vulnerability impact me? :
This vulnerability can have serious impacts including allowing attackers to execute arbitrary code on the affected system or cause denial of service (DoS) conditions by corrupting memory or triggering unexpected behavior. This means an attacker could potentially take control of the system or disrupt its availability. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to an integer overflow in the libtommath library's mp_grow function caused by improper handling of negative size inputs. Detection would involve identifying if your system or software uses a vulnerable version of libtommath (prior to version 1.2.1) or Perl CryptX before version 0.087. There are no specific network detection commands provided. To check the installed version of libtommath, you can use package management commands depending on your OS, for example, on Debian-based systems: `dpkg -l | grep libtommath` or on FreeBSD: `pkg info | grep libtommath`. For Perl CryptX, check the installed version with `perl -MCrypt::X -e 'print $Crypt::X::VERSION'`. If the version is older than the fixed versions, the system is vulnerable. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update libtommath to version 1.2.1 or later, which includes the fix that adds input validation to prevent negative size arguments in the mp_grow function. Similarly, update Perl CryptX to version 0.087 or later. These updates prevent the integer overflow and reduce the risk of arbitrary code execution or denial of service. If updating is not immediately possible, consider restricting access to services using the vulnerable libraries to trusted users only and monitor for suspicious activity. [2]