<div dir="rtl"><span>Hi,</span><br><br><span>I am the reporter/discoverer of CVE-2025-67125.</span><br><br><span>This issue has now been reported upstream and a proposed fix is available here:</span><br><span>- Upstream issue: <a href="https://github.com/docopt/docopt.cpp/issues/167">https://github.com/docopt/docopt.cpp/issues/167</a></span><br><span>- Proposed fix PR: <a href="https://github.com/docopt/docopt.cpp/pull/168">https://github.com/docopt/docopt.cpp/pull/168</a></span><br><span>- Reproduction details / PoCs / logs: <a href="https://gist.github.com/thesmartshadow/672afe8828844c833f46f8ebe2f5f3bd">https://gist.github.com/thesmartshadow/672afe8828844c833f46f8ebe2f5f3bd</a></span><br><br><span>The issue is a signed integer overflow in LeafPattern::match when merging occurrence counters.</span><br><span>In realistic host applications, attacker-controlled defaults (e.g. ENV/config/plugin-provided values)</span><br><span>can set the counter seed to LONG_MAX, and the first user occurrence then triggers LONG_MAX + 1.</span><br><br><span>Tested vulnerable version:</span><br><span>- docopt.cpp 0.6.2</span><br><br><span>Regards,</span><br><span>Ali Firas</span></div>