CVE-2019-25544
Buffer Overflow in Pidgin 2.13.0 Causes Denial of Service
Publication date: 2026-03-21
Last updated on: 2026-04-16
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pidgin | pidgin | 2.13.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-807 | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25544 is a denial of service vulnerability in Pidgin version 2.13.0 and earlier. It occurs when a local attacker provides an excessively long username stringβspecifically a buffer of 1000 charactersβduring account creation. This malformed username causes the application to crash when the user attempts to join a chat, making the application unavailable.
The vulnerability is classified under CWE-807, which relates to reliance on untrusted inputs in a security decision.
How can this vulnerability impact me? :
This vulnerability can impact you by causing the Pidgin application to crash and become unavailable. Since the crash is triggered by providing an excessively long username during account creation, a local attacker can exploit this to cause a denial of service, disrupting your ability to use the chat client.
The impact is specifically on availability, meaning the application stops functioning properly, which can interrupt communication and productivity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to reproduce the crash condition on Pidgin 2.13.0 by providing an excessively long username string during account creation.'}, {'type': 'paragraph', 'content': 'A practical detection method involves using the provided proof-of-concept exploit which generates a username buffer of 1000 characters.'}, {'type': 'list_item', 'content': "Run the Python script `pidgin.py` to generate a file `pidgin.txt` containing 1000 'A' characters."}, {'type': 'list_item', 'content': 'Open Pidgin, navigate to "Accounts" > "Manage Accounts," and add a new account.'}, {'type': 'list_item', 'content': 'Paste the content of `pidgin.txt` into the "Username" field and enter any string (e.g., "1234") in the "Password" field.'}, {'type': 'list_item', 'content': 'After adding the account, right-click the Pidgin icon in the taskbar\'s hidden icons area, select "Join Chat...", and click "Join."'}, {'type': 'paragraph', 'content': 'If Pidgin crashes during this process, the vulnerability is present on the system.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing local attackers from providing excessively long usernames during account creation in Pidgin 2.13.0.
- Restrict local user access to the Pidgin application to trusted users only.
- Monitor and limit input validation on username fields to reject overly long strings.
- Consider upgrading to a patched version of Pidgin if available or applying any vendor-supplied patches.
Since the vulnerability requires local access and is triggered by malformed input, controlling user permissions and input validation are key immediate defenses.