CVE-2025-59031 - Vulnerability Details

- dovecot: Dovecot: Information disclosure via specially crafted OOXML documents

Description

Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.

Published: 2026-03-27

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Dovecot’s attachment conversion script mishandles zip‑style OOXML documents, allowing an attacker to inject unintended local files into the full‑text search index. This leads to the exposure of potentially sensitive data through the FTS mechanism, representing an information disclosure vulnerability rooted in improper parsing of XML (CWE‑611) and a broader information exposure (CWE‑200).

Affected Systems

The flaw impacts Open‑Xchange GmbH’s OX Dovecot Pro product. No specific affected revision numbers are listed, so any deployment that utilizes the default attachment conversion script is potentially vulnerable.

Risk and Exploitability

The calculated CVSS score of 4.3 classifies the issue as low severity, and an EPSS score below 1% indicates a very low likelihood of active exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to supply crafted OOXML attachments processed by the script; no public exploits are known at this time.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Open-Xchange GmbH

OX Dovecot Pro

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.3.0

Configuration 1 [-]

OR	cpe:2.3:a:dovecot:dovecot::::::::
	cpe:2.3:a:open-xchange:dovecot:::::pro:::*
	cpe:2.3:a:open-xchange:dovecot:::::pro:::*

No data.

Vendor Product Confidence Versions

Open-xchange

Ox Dovecot Pro

92%

Version	Status	Scheme	Platform
`[0,2.3.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Discontinue use of the bundled attachment conversion script
Employ an alternative FTS solution such as Apache Tika
Verify that only trusted or validated attachments are processed
Monitor vendor advisories for an official patch or update
Configure file‐oriented security controls to prevent unauthorized indexing

Generated by OpenCVE AI on March 28, 2026 at 13:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6197-1	dovecot security update
Ubuntu USN	USN-8136-1	Dovecot vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json
https://nvd.nist.gov/vuln/detail/CVE-2025-59031
https://www.cve.org/CVERecord?id=CVE-2025-59031

History

Wed, 29 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dovecot Dovecot dovecot Open-xchange dovecot
CPEs		cpe:2.3:a:dovecot:dovecot:::::::: cpe:2.3:a:open-xchange:dovecot:::::pro:::*
Vendors & Products		Dovecot Dovecot dovecot Open-xchange dovecot

Mon, 30 Mar 2026 08:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Open-xchange Open-xchange ox Dovecot Pro
Vendors & Products		Open-xchange Open-xchange ox Dovecot Pro

Sat, 28 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Unsafe Attachment Conversion Script Allows Unauthorized File Indexing via Crafted OOXML	dovecot: Dovecot: Information disclosure via specially crafted OOXML documents
Weaknesses		CWE-611
References		https://nvd.nist.gov/vuln/detail/CVE-2025-59031 https://www.cve.org/CVERecord?id=CVE-2025-59031
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 27 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
Title		Unsafe Attachment Conversion Script Allows Unauthorized File Indexing via Crafted OOXML

Fri, 27 Mar 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.
Weaknesses		CWE-200
References		https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Dovecot Dovecot

Open-xchange Dovecot Ox Dovecot Pro

MITRE

Status: PUBLISHED

Assigner: OX

Published: 2026-03-27T08:10:15.956Z

Updated: 2026-03-27T19:42:40.634Z

Reserved: 2025-09-08T14:22:28.105Z

Link: CVE-2025-59031

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-03-27T09:16:18.783

Modified: 2026-04-29T19:13:14.380

Link: CVE-2025-59031

Redhat

Severity : Moderate

Publid Date: 2026-03-27T08:10:15Z

Links: CVE-2025-59031 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-30T07:59:48Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object