CVE-2025-53859

EPSS 0.1%
Veröffentlicht 13.08.2025 14:46:55
Zuletzt bearbeitet 04.11.2025 22:16:27
Quelle f5sirt@f5.com
CVE-Watchlists
Login
Unerledigt
Login

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method "none," and (3) the authentication server returns the "Auth-Wait" response header.




Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

F5 ≫ Nginx Plus Versionr30 Update-

F5 ≫ Nginx Plus Versionr31 Update-

F5 ≫ Nginx Plus Versionr32 Update-

F5 ≫ Nginx Plus Versionr32 Updatep1

F5 ≫ Nginx Plus Versionr32 Updatep2

F5 ≫ Nginx Plus Versionr33 Update-

F5 ≫ Nginx Plus Versionr33 Updatep1

F5 ≫ Nginx Plus Versionr33 Updatep2

F5 ≫ Nginx Plus Versionr34 Update-

F5 ≫ Nginx Plus Versionr34 Updatep1

F5 ≫ Nginx Open Source Version >= 0.7.22 < 1.29.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.286

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
f5sirt@f5.com	6.3	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
f5sirt@f5.com	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://my.f5.com/manage/s/article/K000152786

Vendor Advisory

http://www.openwall.com/lists/oss-security/2025/08/13/5

https://nvd.nist.gov/vuln/detail/CVE-2025-53859

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-53859

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-53859

EUVD