CVE-2025-59031 — Sensitive Information Exposure in Dovecot

CWE-200 — Sensitive Information Exposure CWE-611 — XML External Entity (XXE) Injection8 documents7 sources

Severity

4.3MEDIUMNVD

OSV5.3

EPSS

0.0%

top 91.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot Open-xchange Gmbh OX Dovecot PRO

Timeline

PublishedMar 27

Latest updateMar 31

Description

Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶debiandebian/dovecot< dovecot 1:2.3.19.1+dfsg1-2.1+deb12u2 (bookworm)

▶Debiandovecot/dovecot< 1:2.3.19.1+dfsg1-2.1+deb12u2+1

▶Ubuntudovecot/dovecot< 1:2.3.16+dfsg1-3ubuntu2.7+2

▶CVEListV5open-xchange_gmbh/ox_dovecot_pro2.3.0

🔴Vulnerability Details

OSV

dovecot vulnerabilities↗2026-03-31

▶

OSV

CVE-2025-59031: Dovecot has provided a script to use for attachment to text conversion↗2026-03-27

▶

GHSA

GHSA-7r6x-855q-h59r: Dovecot has provided a script to use for attachment to text conversion↗2026-03-27

▶

📋Vendor Advisories

Ubuntu

Dovecot vulnerabilities↗2026-03-31

▶

Red Hat

dovecot: Dovecot: Information disclosure via specially crafted OOXML documents↗2026-03-27

▶

Debian

CVE-2025-59031: dovecot - Dovecot has provided a script to use for attachment to text conversion. This scr...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-59031 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶