PyPI: codechecker
CVE-2025-40843
Safety vulnerability ID: SFTY-20250922-64610
Safety legacy ID: pyup.io-79853
Affected versions of the codechecker package are vulnerable to Buffer Overflow due to unsafe copying of user-controlled strings into a fixed-size stack buffer in the internal ldlogger library executed by the CodeChecker log command. The ldlogger component, invoked by CodeChecker’s log command, uses strcpy() without bounds checking to copy inputs into a 4096-byte stack-allocated buffer, allowing an overrun when given excessively long arguments. A local attacker who can pass crafted command-line parameters or environment variables to the CodeChecker log can overflow the buffer and crash the process, with limited potential for data exposure or modification within the process context.
Overview
CodeChecker has a buffer overflow in the log command
Advisory
Affected versions of the codechecker package are vulnerable to Buffer Overflow due to unsafe copying of user-controlled strings into a fixed-size stack buffer in the internal ldlogger library executed by the CodeChecker log command. The ldlogger component, invoked by CodeChecker’s log command, uses strcpy() without bounds checking to copy inputs into a 4096-byte stack-allocated buffer, allowing an overrun when given excessively long arguments. A local attacker who can pass crafted command-line parameters or environment variables to the CodeChecker log can overflow the buffer and crash the process, with limited potential for data exposure or modification within the process context.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20250922-64610/CVE-2025-40843
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40843
- https://github.com/Ericsson/codechecker/commit/4122eb1b43d00c880e4f0747d2ca0a674feb7a50
- https://github.com/advisories/GHSA-5xf2-f6ch-6p8r
- https://github.com/Ericsson/codechecker/security/advisories/GHSA-5xf2-f6ch-6p8r
- https://github.com/Ericsson/codechecker/commit/4122eb1b43d00c880e4f0747d2ca0a674feb7a50
- https://nvd.nist.gov/vuln/detail/CVE-2025-40843
- https://github.com/pypa/advisory-database/tree/main/vulns/codechecker/PYSEC-2025-100.yaml
- https://github.com/advisories/GHSA-5xf2-f6ch-6p8r
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more