CVE-2025-53859

13.08.2025, 15:15

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method "none," and (3) the authentication server returns the "Auth-Wait" response header.




Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	3.7 LOW	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
f5	CNA	3.7 LOW	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 28%

Vendor	Product	Version
f5	nginx_open_source	0.7.22 ≤ 𝑥 < 1.29.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

nginx

bullseye	postponed
bullseye (security)	vulnerable
bookworm	1.22.1-9+deb12u3 fixed
trixie	1.26.3-3+deb13u1 fixed
forky	1.28.0-6 fixed
sid	1.28.0-6 fixed

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://my.f5.com/manage/s/article/K000152786

http://www.openwall.com/lists/oss-security/2025/08/13/5