The only way that can happen is if you misconfigure your webserver to serve your cgi programs as plain text

or create a soft/hard link to your cgi-bin and expose it to the internet, so it gets served as plain text

cd public_html
ln -s cgi-bin stealmysourcecode

http://example.com/cgi-bin/foo.cgi
UHOH!! http://example.com/stealmysourcecode/foo.cgi
[download]

or if there is a bug in your webserver (apache/iis...)

or a bug in your foo.cgi, like

seek DATA,0,0;
print "Content-type:text/plain\n\n",
  "here is my sourcecode, steal secrets\n",
  <DATA>;
[download]