CVE-2025-50360 – A heap buffer overflow vulnerability in Pepper ... (How to Fix)

Q: What is the severity of CVE-2025-50360?

CVE-2025-50360 has a CVSS score of 8.4 (HIGH). A heap buffer overflow vulnerability in Pepper language compiler allows arbitrary code execution or denial of service when processing malicious .pr source files. This affects users who compile or execute untrusted Pepper source code. The vulnerability is in the compiler itself, not in compiled programs.

📋 TL;DR

A heap buffer overflow vulnerability in Pepper language compiler allows arbitrary code execution or denial of service when processing malicious .pr source files. This affects users who compile or execute untrusted Pepper source code. The vulnerability is in the compiler itself, not in compiled programs.

💻 Affected Systems

Products:

Pepper language compiler

Versions: 0.1.1 (commit 961a5d9988c5986d563310275adad3fd181b2bb7)

Operating Systems: All platforms where Pepper compiler runs

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the compiler when processing source files, not compiled Pepper programs.

📦 What is this software?

Pepper by Dannyvankooten

View all CVEs affecting Pepper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution with the privileges of the Pepper compiler process, potentially leading to complete system compromise.

🟠

Likely Case

Denial of service through application crashes when processing specially crafted source files.

🟢

If Mitigated

Limited impact if only trusted source files are compiled and compiler runs with minimal privileges.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires feeding malicious source code to the compiler. Public PoC available in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/dannyvankooten/pepper-lang

Restart Required: No

Instructions:

1. Monitor GitHub repository for updates. 2. Check if newer commits fix the vulnerability. 3. Rebuild from source if fix available.

🔧 Temporary Workarounds

Restrict compiler access

linux

Limit who can run the Pepper compiler and what source files it processes

chmod 750 /path/to/pepper-compiler
setfacl -m u:trusteduser:rx /path/to/pepper-compiler

Run compiler with reduced privileges

linux

Execute compiler with minimal user privileges using sudo or similar

sudo -u nobody pepper-compiler file.pr

🧯 If You Can't Patch

Discontinue use of Pepper compiler until fix available
Only compile trusted source files from verified sources

🔍 How to Verify

Check if Vulnerable:

Check Pepper compiler version: pepper --version or examine commit hash if built from source

Check Version:

pepper --version 2>&1 | head -1

Verify Fix Applied:

Test with PoC from GitHub repository to confirm crash/exploit no longer works

📡 Detection & Monitoring

Log Indicators:

Segmentation fault crashes of pepper compiler
Abnormal memory usage patterns in compiler process

Network Indicators:

Unusual network connections originating from compiler process

SIEM Query:

process_name:"pepper" AND (event_type:"crash" OR memory_usage:>threshold)

📊 Metadata

CVE ID: CVE-2025-50360

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.02% exploit probability (5.1th percentile)

Published: December 3, 2025

Last Updated: December 16, 2025

🔗 References

https://github.com/Ch1keen/CVE-2025-50360 Exploit,Third Party Advisory
https://github.com/dannyvankooten/pepper-lang Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-50360, you might also want to check these: