{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-59031", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2025-09-08T14:22:28.105Z", "datePublished": "2026-03-27T08:10:15.956Z", "dateUpdated": "2026-03-27T19:42:40.634Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["core"], "product": "OX Dovecot Pro", "vendor": "Open-Xchange GmbH", "versions": [{"lessThanOrEqual": "2.3.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "cwe"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-03-27T12:33:21.043Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"}], "source": {"defect": "DOV-8584", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T19:42:31.241566Z", "id": "CVE-2025-59031", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:42:40.634Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*", "matchCriteriaId": "BE209329-C5EA-4EE7-A23E-CD2EC061A9A4", "versionEndExcluding": "2.4.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*", "matchCriteriaId": "5CF82590-D98A-4E06-AC8C-6CC3506ED923", "versionEndExcluding": "2.3.22.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*", "matchCriteriaId": "F1137EFF-7493-4E1C-842A-FD0AF16B59DE", "versionEndExcluding": "3.1.3", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known."}], "id": "CVE-2025-59031", "lastModified": "2026-04-29T19:13:14.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@open-xchange.com", "type": "Secondary"}]}, "published": "2026-03-27T09:16:18.783", "references": [{"source": "security@open-xchange.com", "tags": ["Vendor Advisory"], "url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@open-xchange.com", "type": "Secondary"}]}

{"bugzilla": {"description": "dovecot: Dovecot: Information disclosure via specially crafted OOXML documents", "id": "2452174", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452174"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-611", "details": ["Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.", "A flaw was found in Dovecot. An attacker can exploit this by using specially crafted OOXML (Office Open XML) documents that are unsafely handled by a provided script designed for attachment to text conversion. This can lead to unintended files on the system being indexed and subsequently exposed in Full Text Search (FTS) indexes, resulting in information disclosure."], "name": "CVE-2025-59031", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-27T08:10:15Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-59031\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-59031\nhttps://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.3.0]"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "OX Dovecot Pro", "source": "cna", "vendor": "Open-Xchange GmbH"}, "product": "ox_dovecot_pro", "vendor": "open-xchange"}], "analysis": {"en": {"generated_at": "2026-03-28T13:29:58.730808+00:00", "value": {"mitigation_remediation": ["Discontinue use of the bundled attachment conversion script", "Employ an alternative FTS solution such as Apache Tika", "Verify that only trusted or validated attachments are processed", "Monitor vendor advisories for an official patch or update", "Configure file\u2010oriented security controls to prevent unauthorized indexing"], "summary": {"action": "Use Alternative Script", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The flaw impacts Open\u2011Xchange GmbH\u2019s OX Dovecot Pro product. No specific affected revision numbers are listed, so any deployment that utilizes the default attachment conversion script is potentially vulnerable.", "description_and_impact": "Dovecot\u2019s attachment conversion script mishandles zip\u2011style OOXML documents, allowing an attacker to inject unintended local files into the full\u2011text search index. This leads to the exposure of potentially sensitive data through the FTS mechanism, representing an information disclosure vulnerability rooted in improper parsing of XML (CWE\u2011611) and a broader information exposure (CWE\u2011200).", "risk_and_exploitability": "The calculated CVSS score of 4.3 classifies the issue as low severity, and an EPSS score below 1% indicates a very low likelihood of active exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires an attacker to supply crafted OOXML attachments processed by the script; no public exploits are known at this time."}}}}, "created": "2026-03-27T09:45:47.801931+00:00", "updated": "2026-03-30T07:59:48.070883+00:00", "vendors": ["open-xchange", "open-xchange$PRODUCT$ox_dovecot_pro"]}