CVE-2025-59032 — Improper Input Validation in Dovecot

CWE-20 — Improper Input Validation CWE-229 — Improper Handling of Values8 documents7 sources

Severity

7.5HIGHNVD

OSV5.3

EPSS

0.1%

top 78.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot Open-xchange Gmbh OX Dovecot PRO

Timeline

PublishedMar 27

Latest updateMar 31

Description

ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively upgrade to a fixed version. No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/dovecot< dovecot 1:2.3.19.1+dfsg1-2.1+deb12u2 (bookworm)

▶Debiandovecot/dovecot< 1:2.3.19.1+dfsg1-2.1+deb12u2+1

▶Ubuntudovecot/dovecot< 1:2.3.16+dfsg1-3ubuntu2.7+2

▶CVEListV5open-xchange_gmbh/ox_dovecot_pro3.1.0

🔴Vulnerability Details

OSV

dovecot vulnerabilities↗2026-03-31

▶

OSV

CVE-2025-59032: ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response↗2026-03-27

▶

GHSA

GHSA-w2gj-cmfm-c4j4: ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response↗2026-03-27

▶

📋Vendor Advisories

Ubuntu

Dovecot vulnerabilities↗2026-03-31

▶

Red Hat

dovecot: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command↗2026-03-27

▶

Debian

CVE-2025-59032: dovecot - ManageSieve AUTHENTICATE command crashes when using literal as SASL initial resp...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-59032 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶