CVE-2025-30189 — Improper Preservation of Consistency Between Independent Representations of Shared State in Dovecot

CWE-1250 — Improper Preservation of Consistency Between Independent Representations of Shared State4 documents4 sources

Severity

7.4HIGHNVD

EPSS

0.0%

top 90.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot Open-xchange Gmbh OX Dovecot PRO

Timeline

PublishedOct 31

Description

When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be used for these users. After cached login, all subsequent logins are for same user. Install fixed version or disable caching either globally or for the impacted passdb/userdb drivers. No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages3 packages

▶debiandebian/dovecot< dovecot 1:2.4.1+dfsg1-7 (forky)

▶Debiandovecot/dovecot< 1:2.4.1+dfsg1-6+deb13u1+1

▶CVEListV5open-xchange_gmbh/ox_dovecot_pro3.1.0

🔴Vulnerability Details

GHSA

GHSA-396v-898v-98hg: When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be used for the↗2025-10-31

▶

OSV

CVE-2025-30189: When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be used for the↗2025-10-31

▶

📋Vendor Advisories

Debian

CVE-2025-30189: dovecot - When cache is enabled, some passdb/userdb drivers incorrectly cache all users wi...↗2025

▶