CVE-2025-53859

NameCVE-2025-53859
DescriptionNGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method "none," and (3) the authentication server returns the "Auth-Wait" response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1111138

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nginx (PTS)bullseye1.18.0-6.1+deb11u3vulnerable
bullseye (security)1.18.0-6.1+deb11u5vulnerable
bookworm1.22.1-9+deb12u3fixed
trixie1.26.3-3+deb13u1fixed
forky, sid1.28.0-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nginxsourceexperimental1.28.0-2
nginxsourcebookworm1.22.1-9+deb12u3
nginxsourcetrixie1.26.3-3+deb13u1
nginxsource(unstable)1.28.0-31111138

Notes

[bullseye] - nginx <postponed> (minor issue)
https://www.openwall.com/lists/oss-security/2025/08/13/5
https://nginx.org/download/patch.2025.smtp.txt
Search for package or bug name: Reporting problems