NGINX Open Source and NGINX Plus Vulnerability in SMTP Module
CVE-2025-53859

6.3MEDIUM

Key Information:

Vendor: F5
Status: Nginx Plus; Nginx Open Source
Vendor: CVE Published:; 13 August 2025

What is CVE-2025-53859?

A vulnerability exists in the nginx_mail_smtp_module of NGINX Open Source and NGINX Plus that could allow an unauthenticated attacker to access sensitive information by over-reading the server's memory during the SMTP authentication process. This issue arises if the server is configured with the smtp_auth directive set to 'none', enabling potential extraction of arbitrary bytes sent in authentication requests. Attackers must execute specific preparations to exploit this flaw, making it crucial for users to review their configurations to mitigate risks associated with unintended data leakage.

Affected Version(s)

NGINX Open Source 0.7 < 1.29.1

NGINX Plus R34

NGINX Plus R33

References

https://my.f5.com/manage/s/article/K000152786

vendor-advisory

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 13, 2025
Vulnerability Reserved
Jul 29, 2025

Credit

F5 acknowledges the Amazon Web Services Security team for bringing this issue to our attention and following the highest standards of coordinated disclosure.