{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2019-25544", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-21T12:23:17.461Z", "datePublished": "2026-03-21T12:46:48.415Z", "dateUpdated": "2026-03-24T14:31:19.687Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-21T12:46:48.415Z"}, "title": "Pidgin 2.13.0 Denial of Service via Malformed Username", "descriptions": [{"lang": "en", "value": "Pidgin 2.13.0 contains a denial of service vulnerability that allows local attackers to crash the application by providing an excessively long username string during account creation. Attackers can input a buffer of 1000 characters in the username field and trigger a crash when joining a chat, causing the application to become unavailable."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Reliance on Untrusted Inputs in a Security Decision", "cweId": "CWE-807", "type": "CWE"}]}], "affected": [{"vendor": "Pidgin", "product": "Pidgin", "versions": [{"version": "2.13.0", "status": "affected"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pidgin:pidgin:2.14.9:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pidgin:pidgin:2.14.0:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pidgin:pidgin:2.14.1:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pidgin:pidgin:2.14.2:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pidgin:pidgin:2.14.3:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pidgin:pidgin:2.14.4:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pidgin:pidgin:2.14.5:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pidgin:pidgin:2.14.6:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pidgin:pidgin:2.14.7:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pidgin:pidgin:2.14.8:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pidgin:pidgin:2.14.10:*:*:*:*:*:*:*"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/46930", "name": "ExploitDB-46930", "tags": ["exploit"]}, {"url": "https://pidgin.im/", "name": "Official Product Homepage", "tags": ["product"]}, {"name": "VulnCheck Advisory: Pidgin 2.13.0 Denial of Service via Malformed Username", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/pidgin-denial-of-service-via-malformed-username"}], "credits": [{"lang": "en", "value": "Alejandra S\u00e1nchez", "type": "finder"}], "x_generator": {"engine": "vulncheck"}, "datePublic": "2019-05-27T00:00:00.000Z"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:30:55.803437Z", "id": "CVE-2019-25544", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:31:19.687Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-25544", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T14:30:55.803437Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:31:15.844Z"}}], "cna": {"title": "Pidgin 2.13.0 Denial of Service via Malformed Username", "credits": [{"lang": "en", "type": "finder", "value": "Alejandra S\u00e1nchez"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Pidgin", "product": "Pidgin", "versions": [{"status": "affected", "version": "2.13.0"}]}], "datePublic": "2019-05-27T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/46930", "name": "ExploitDB-46930", "tags": ["exploit"]}, {"url": "https://pidgin.im/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/pidgin-denial-of-service-via-malformed-username", "name": "VulnCheck Advisory: Pidgin 2.13.0 Denial of Service via Malformed Username", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Pidgin 2.13.0 contains a denial of service vulnerability that allows local attackers to crash the application by providing an excessively long username string during account creation. Attackers can input a buffer of 1000 characters in the username field and trigger a crash when joining a chat, causing the application to become unavailable."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-807", "description": "Reliance on Untrusted Inputs in a Security Decision"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.9:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.0:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.1:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.2:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.3:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.4:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.5:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.6:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.7:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.8:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.10:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-21T12:46:48.415Z"}}}, "cveMetadata": {"cveId": "CVE-2019-25544", "state": "PUBLISHED", "dateUpdated": "2026-03-24T14:31:19.687Z", "dateReserved": "2026-03-21T12:23:17.461Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-21T12:46:48.415Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pidgin:pidgin:2.13.0:*:*:*:*:*:*:*", "matchCriteriaId": "87BA085C-A707-40AD-8CBC-885D111E1173", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Pidgin 2.13.0 contains a denial of service vulnerability that allows local attackers to crash the application by providing an excessively long username string during account creation. Attackers can input a buffer of 1000 characters in the username field and trigger a crash when joining a chat, causing the application to become unavailable."}, {"lang": "es", "value": "Pidgin 2.13.0 contiene una vulnerabilidad de denegaci\u00f3n de servicio que permite a atacantes locales colapsar la aplicaci\u00f3n al proporcionar una cadena de nombre de usuario excesivamente larga durante la creaci\u00f3n de la cuenta. Los atacantes pueden introducir un b\u00fafer de 1000 caracteres en el campo de nombre de usuario y provocar un colapso al unirse a un chat, haciendo que la aplicaci\u00f3n deje de estar disponible."}], "id": "CVE-2019-25544", "lastModified": "2026-04-16T17:42:51.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-21T13:16:15.270", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://pidgin.im/"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46930"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/pidgin-denial-of-service-via-malformed-username"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-807"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{"bugzilla": {"description": "Pidgin: Pidgin: Denial of Service via excessively long username", "id": "2449948", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449948"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1284", "details": ["A flaw was found in Pidgin. Local attackers can exploit this denial of service vulnerability by providing an excessively long username string during account creation. This can cause the application to crash when joining a chat, leading to the application becoming unavailable."], "name": "CVE-2019-25544", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "pidgin", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "pidgin", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pidgin", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2026-03-21T12:46:48Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-25544\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-25544\nhttps://pidgin.im/\nhttps://www.exploit-db.com/exploits/46930\nhttps://www.vulncheck.com/advisories/pidgin-denial-of-service-via-malformed-username"], "statement": "This Moderate impact denial of service flaw in Pidgin allows a local attacker to crash the application. By providing an excessively long username string during account creation, the application becomes unavailable when attempting to join a chat.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.13.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Pidgin", "source": "cna", "vendor": "Pidgin"}, "product": "pidgin", "vendor": "pidgin"}], "analysis": {"en": {"generated_at": "2026-03-24T03:26:43.619909+00:00", "value": {"mitigation_remediation": ["Upgrade to the newest Pidgin release (\u22652.14.10 or later) which contains the fix for the username handling bug.", "After installing the update, restart Pidgin to ensure the patch is active.", "If an upgrade is not immediately possible, prevent local users from creating accounts with excessively long usernames by enforcing a maximum username length of 100 characters or less."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the open\u2011source instant messaging client Pidgin, specifically version\u202f2.13.0 and the 2.14.x family from 2.14.0 through 2.14.9. Users running any of these releases on Windows, macOS, or Linux are potentially exposed.", "description_and_impact": "An input validation flaw in Pidgin 2.13.0 (and versions 2.14.0\u20132.14.9) allows a local attacker to crash the program by submitting an unusually long username during account creation. The excessive length of about 1,000 characters causes the application to crash when the user attempts to join a chat, effectively making the messaging client unavailable. The flaw is attributable to improper handling of string input, reflected in CWE-1284 and CWE-807.", "risk_and_exploitability": "The CVSS score of 6.9 classifies the issue as high\u2011moderate severity, though the EPSS score of less than 1\u202f% indicates a low likelihood of exploitation. Because the flaw requires a local user to create the malformed username, it is generally limited to compromised or physically accessible systems. The exploit path is straightforward: a local attacker supplies a 1,000\u2011character username, then attempts to join a chat, triggering a crash. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited public exploitation."}}}}, "created": "2026-03-23T09:49:35.487421+00:00", "updated": "2026-03-25T14:47:38.485709+00:00", "vendors": ["pidgin", "pidgin$PRODUCT$pidgin"]}