CVE-2025-59028 — Improper Input Validation in Dovecot

CWE-20 — Improper Input Validation CWE-1286 — Improper Validation of Syntactic Correctness of Input8 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 73.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot Open-xchange Gmbh OX Dovecot PRO

Timeline

PublishedMar 27

Latest updateMar 31

Description

When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or disable concurrency in login processes (heavy perfomance penalty on large deployments). No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶debiandebian/dovecot< dovecot 1:2.4.3+dfsg1-1 (sid)

▶Debiandovecot/dovecot< 1:2.4.1+dfsg1-6+deb13u4

▶Ubuntudovecot/dovecot< 1:2.3.16+dfsg1-3ubuntu2.7+2

▶CVEListV5open-xchange_gmbh/ox_dovecot_pro3.1.0

🔴Vulnerability Details

OSV

dovecot vulnerabilities↗2026-03-31

▶

GHSA

GHSA-9q9x-wwfr-fxqm: When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail↗2026-03-27

▶

OSV

CVE-2025-59028: When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail↗2026-03-27

▶

📋Vendor Advisories

Ubuntu

Dovecot vulnerabilities↗2026-03-31

▶

Red Hat

dovecot: Dovecot: Denial of Service via invalid SASL data↗2026-03-27

▶

Debian

CVE-2025-59028: dovecot - When sending invalid base64 SASL data, login process is disconnected from the au...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-59028 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶