Hi,

The following vulnerability was published for docopt.cpp.

CVE-2025-67125[0]:
| A signed integer overflow in docopt.cpp v0.6.2 (LeafPattern::match
| in docopt_private.h) when merging occurrence counters (e.g., default
| LONG_MAX + first user "-v/--verbose") can cause counter wrap
| (negative/unbounded semantics) and lead to logic/policy bypass in
| applications that rely on occurrence-based limits, rate-gating, or
| safety toggles. In hardened builds (e.g., UBSan or -ftrapv), the
| overflow may also result in process abort (DoS).

It is not clear what impact this has, and if it was reported upstream,
so I filled [1] to gather some information.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-67125
https://www.cve.org/CVERecord?id=CVE-2025-67125
[1] https://github.com/docopt/docopt.cpp/issues/167

Regards,
Salvatore

Hi,

I am the reporter/discoverer of CVE-2025-67125.

This issue has now been reported upstream and a proposed fix is available
here:
- Upstream issue: https://github.com/docopt/docopt.cpp/issues/167
- Proposed fix PR: https://github.com/docopt/docopt.cpp/pull/168
- Reproduction details / PoCs / logs:
https://gist.github.com/thesmartshadow/672afe8828844c833f46f8ebe2f5f3bd

The issue is a signed integer overflow in LeafPattern::match when merging
occurrence counters.
In realistic host applications, attacker-controlled defaults (e.g.
ENV/config/plugin-provided values)
can set the counter seed to LONG_MAX, and the first user occurrence then
triggers LONG_MAX + 1.

Tested vulnerable version:
- docopt.cpp 0.6.2

Regards,
Ali Firas