-------- Original Message -------- From: Aki Tuomi via Dovecot-news <[email protected]> Sent: October 29, 2025 8:22:46 AM UTC To: "[email protected]" <[email protected]>, "[email protected]" <[email protected]> Subject: [Dovecot-news] CVE-2025-30189 notification Affected product: Dovecot IMAP Server Internal reference: DOV-7830 Vulnerability type: CWE-1250 (Improper Preservation of Consistency Between Independent Representations of Shared State) Vulnerable version: 2.4.0, 2.4.1 Vulnerable component: auth Report confidence: Confirmed Solution status: Fixed in 2.4.2 Researcher credits: Erik <[email protected]> Vendor notification: 2025-07-25 CVE reference: CVE-2025-30189 CVSS: 7.4 (CVSS3.1:AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) Vulnerability Details: Using auth caching with oauth2 passdb, passwd passdb or userdb, or passwd userdb, causes the first lookup to be cached for all the lookups. This is because the cache key is "%u" which no longer actually expands to same as "%{user}". Workaround: Disabling auth cache will prevent the issue. Fix Install non-vulnerable version of Dovecot. Patch can be found at https://github.com/dovecot/core/compare/a70ce7d3e2f983979e971414c5892c4e30197231%5E...34caed79b76a7b82a2a9c94cf35371bec6c2b826.patch
