CVE-2025-30189
BaseFortify
Publication date: 2025-10-31
Last updated on: 2026-03-27
Assigner: Open-Xchange
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-xchange | dovecot | 2.4.1 |
| open-xchange | dovecot | 2.4.2 |
| open-xchange | dovecot | 2.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1250 | The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-30189 is a vulnerability in Open-Xchange's Dovecot CE product affecting versions 2.4.0 and 2.4.1. When caching is enabled for certain passdb/userdb drivers, the system incorrectly caches all users under the same cache key instead of unique keys per user. This causes the authentication cache to return the wrong user information after the first login, meaning that after one user logs in, all subsequent logins are treated as that same user. This flaw arises from improper handling of the cache key expansion, leading to incorrect reuse of cached authentication data. [1, 2]
How can this vulnerability impact me? :
This vulnerability can cause users to be authenticated as the wrong user, potentially granting access to another user's account. This leads to a serious breach of confidentiality and integrity, as unauthorized users may access sensitive information or perform actions under another user's identity. The impact is high on confidentiality and integrity but does not affect availability. It can result in unauthorized data exposure and compromise of user accounts. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by verifying if the affected Dovecot versions (2.4.0 or 2.4.1) are in use and if authentication caching is enabled for passdb/userdb drivers. Since the vulnerability causes all subsequent logins to be treated as the same user after one cached login, monitoring login behavior for repeated identical user sessions despite different credentials may indicate the issue. Specific commands to check the Dovecot version include `dovecot --version`. To check if auth caching is enabled, inspect the Dovecot configuration files for the `auth_cache_size` setting. For example, running `grep auth_cache_size /etc/dovecot/conf.d/*` can reveal if caching is enabled and its size. If `auth_cache_size` is greater than 0, caching is enabled and the system may be vulnerable if running an affected version. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include either upgrading Dovecot to version 2.4.2 or later, where the vulnerability is fixed, or disabling authentication caching by setting `auth_cache_size=0` in the Dovecot configuration. Disabling caching can be done globally or specifically for the impacted passdb/userdb drivers. These steps prevent the incorrect caching behavior that leads to users being logged in as the wrong account. [1, 2]