NGINX Open Source and NGINX Plus Vulnerability in SMTP Module
CVE-2025-53859
What is CVE-2025-53859?
CVE-2025-53859 is a vulnerability identified in the NGINX Open Source and NGINX Plus web server software, specifically within the ngx_mail_smtp_module. This vulnerability allows an unauthenticated attacker to exploit the SMTP authentication process, potentially leading to unauthorized leakage of sensitive data from the server memory. The threat arises when the NGINX server is configured with the smtp_auth directive set to "none" and is built with the ngx_mail_smtp_module enabled. This situation could allow an attacker, after making initial preparatory steps against the target system, to retrieve arbitrary bytes sent to the authentication server during the SMTP authentication phase. Consequently, organizations running affected versions of NGINX may face serious security risks, as such vulnerabilities can facilitate further exploits, data exposure, or compromise of server integrity.
Potential impact of CVE-2025-53859
-
Data Leakage: The vulnerability can lead to the exposure of sensitive information stored in memory, potentially revealing passwords or other confidential data during the SMTP authentication procedure.
-
Unauthorized Access: By successfully exploiting this vulnerability, attackers could gain unauthorized access to SMTP communication, allowing them to intercept or manipulate email traffic, which may lead to broader security breaches.
-
Increased Attack Surface: Organizations vulnerable to this exploit may experience heightened risk from follow-on attacks, as compromised authentication processes can serve as entry points for further exploitation or lateral movement within networks.
Affected Version(s)
NGINX Open Source 0.7 < 1.29.1
NGINX Plus R34
NGINX Plus R33
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved