Vulnerabilities ›

CVE-2019-25544

Medium

CWE-807 — Weakness Type

                    Published: Mar 21, 2026                      ·  Modified: Mar 24, 2026                      ·  Source: NVD                

CVSS v3

6.2

🔗 NVD Official

📄 Description (English)

Pidgin 2.13.0 contains a denial of service vulnerability that allows local attackers to crash the application by providing an excessively long username string during account creation. Attackers can input a buffer of 1000 characters in the username field and trigger a crash when joining a chat, causing the application to become unavailable.

🤖 AI Executive Summary

CVE-2019-25544 is a denial of service vulnerability in Pidgin 2.13.0 that allows local attackers to crash the application through excessively long username strings during account creation. The vulnerability has a CVSS score of 6.2 (medium severity) and requires local access to exploit. While no public exploit is currently available and no patch has been released, the impact is limited to application unavailability rather than data compromise.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 22, 2026 16:18

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability has limited impact on Saudi organizations as Pidgin is primarily a personal instant messaging client rather than enterprise communication infrastructure. However, government agencies and financial institutions that permit employee use of Pidgin for external communications could experience service disruptions. The vulnerability primarily affects individual users rather than critical infrastructure. Sectors with potential exposure include: Government (NCA, NCSC) if used for non-critical communications, and some financial institutions where employees use Pidgin for client communications.

🏢 Affected Saudi Sectors

Government Financial Services Telecommunications

🎯 MITRE ATT&CK Techniques

T1499 - Endpoint Denial of Service T1561 - Disk Wipe T1529 - System Shutdown/Reboot

⚖️ Saudi Risk Score (AI)

3.5

/ 10.0

🔧 Remediation Steps (English)

1. Immediate Actions:

   - Identify systems running Pidgin 2.13.0 through asset inventory and endpoint management tools

   - Restrict local access to systems running vulnerable versions where possible

   - Educate users not to accept account creation requests with excessively long usernames



2. Patching Guidance:

   - Upgrade to Pidgin 2.14.0 or later when available

   - Monitor Pidgin project releases for security updates

   - Consider disabling Pidgin on corporate systems if not business-critical



3. Compensating Controls:

   - Implement application whitelisting to control Pidgin execution

   - Use endpoint detection and response (EDR) solutions to monitor for application crashes

   - Restrict user permissions to prevent unauthorized account creation

   - Monitor system logs for repeated application crashes



4. Detection Rules:

   - Alert on Pidgin process crashes with event ID 1000 (Application Error)

   - Monitor for account creation attempts with username strings exceeding 256 characters

   - Track failed Pidgin chat join attempts following account creation

🔧 خطوات المعالجة (العربية)

1. الإجراءات الفورية:

   - تحديد الأنظمة التي تقوم بتشغيل Pidgin 2.13.0 من خلال جرد الأصول وأدوات إدارة نقاط النهاية

   - تقييد الوصول المحلي للأنظمة التي تقوم بتشغيل الإصدارات الضعيفة حيث أمكن

   - تثقيف المستخدمين بعدم قبول طلبات إنشاء الحساب بأسماء مستخدمين طويلة جداً



2. إرشادات التصحيح:

   - الترقية إلى Pidgin 2.14.0 أو إصدار أحدث عند توفره

   - مراقبة إصدارات مشروع Pidgin للتحديثات الأمنية

   - النظر في تعطيل Pidgin على الأنظمة الشركاتية إذا لم تكن حرجة للعمل



3. الضوابط البديلة:

   - تنفيذ قائمة بيضاء للتطبيقات للتحكم في تنفيذ Pidgin

   - استخدام حلول الكشف والاستجابة على نقاط النهاية (EDR) لمراقبة أعطال التطبيقات

   - تقييد أذونات المستخدم لمنع إنشاء حساب غير مصرح به

   - مراقبة سجلات النظام لأعطال التطبيقات المتكررة



4. قواعد الكشف:

   - التنبيه على أعطال عملية Pidgin مع معرف الحدث 1000 (خطأ التطبيق)

   - مراقبة محاولات إنشاء الحساب بسلاسل اسم المستخدم التي تتجاوز 256 حرفاً

   - تتبع محاولات الانضمام إلى دردشة Pidgin الفاشلة بعد إنشاء الحساب

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.12.6.1 - Management of technical vulnerabilities A.14.2.1 - Secure development policy A.12.2.1 - Monitoring of system use

🔵 SAMA CSF

ID.RA-1 - Asset management and inventory PR.IP-12 - Software development and quality assurance DE.CM-1 - Detection and analysis of anomalies

🟡 ISO 27001:2022

A.12.6.1 - Management of technical vulnerabilities A.14.2.1 - Secure development policy A.12.2.1 - Monitoring of system use

🔗 References & Sources 3

🔗

https://pidgin.im/

disclosure@vulncheck.com

🔗

https://www.exploit-db.com/exploits/46930

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/pidgin-denial-of-service-via-malformed-username

disclosure@vulncheck.com

📊 CVSS Score

6.2

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityN — None / Network

AvailabilityH — High

📋 Quick Facts

Severity Medium

CVSS Score6.2

CWECWE-807

Exploit No

Patch ✗ No

Published 2026-03-21

Source Feed nvd

🇸🇦 Saudi Risk Score

3.5

/ 10.0 — Saudi Risk

Priority: LOW

🏷️ Tags

CWE-807

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2019-25544

Introduce Yourself

Sign In Required