CVE-2025-67125
BaseFortify
Publication date: 2026-01-23
Last updated on: 2026-02-11
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| docopt | docopt.cpp | 0.6.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67125 is a signed integer overflow vulnerability in the docopt.cpp library, specifically in the function LeafPattern::match within docopt_private.h. When merging occurrence counters, such as adding the default LONG_MAX value to the first user occurrence of a flag (e.g., -v/--verbose), the addition can overflow the signed integer, causing the counter to wrap around to a negative or unbounded value. This overflow leads to incorrect counter semantics, which can cause logic or policy bypasses in applications relying on occurrence-based limits, rate-gating, or safety toggles. In hardened builds with sanitizers like UBSan or compiler flags like -ftrapv, this overflow can cause the process to abort, resulting in a denial of service. [2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to bypass logic or limits in your application that depend on occurrence counters. For example, if your application uses docopt.cpp to parse command-line flags and sets default counters from untrusted sources (like environment variables or config files), an attacker can cause the counter to overflow and wrap to a negative or very large value. This can lead to unauthorized enabling or disabling of features, bypassing rate limits, or activating unsafe debug modes. Additionally, in hardened builds, the overflow may cause the application to abort unexpectedly, resulting in denial of service. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by compiling and running the provided proof-of-concept (PoC) programs with Undefined Behavior Sanitizer (UBSan) enabled, which will report the signed integer overflow in the function LeafPattern::match. Specifically, setting an environment variable such as VERBOSE_DEFAULT=LONG_MAX and then invoking the affected CLI with the -v or --verbose flag will trigger the overflow. Commands to detect the issue include compiling the PoC with UBSan enabled (e.g., using Clang with -fsanitize=undefined) and running the test to observe overflow reports. Monitoring for unexpected process aborts (in hardened builds) or logic bypasses in applications using docopt.cpp may also indicate the vulnerability. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying checked or saturated addition when merging occurrence counters to prevent signed integer overflow. This involves normalizing negative counter values to zero and capping additions at LONG_MAX to avoid wraparound. For example, before incrementing a counter, check if the current value is negative and reset it to zero, then ensure that adding one does not exceed LONG_MAX; if it would, set the counter to LONG_MAX instead. Additionally, avoid seeding default flag values from untrusted sources such as environment variables or configuration files writable by unprivileged users. Upstream fixes involving guarded arithmetic should be applied when available. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information on how CVE-2025-67125 affects compliance with common standards and regulations such as GDPR or HIPAA.