{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-05T12:15:20.003","vulnerabilities":[{"cve":{"id":"CVE-2025-53859","sourceIdentifier":"f5sirt@f5.com","published":"2025-08-13T15:15:37.657","lastModified":"2025-11-04T22:16:27.033","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method \"none,\" and (3) the authentication server returns the \"Auth-Wait\" response header.\n\n\n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."},{"lang":"es","value":"NGINX Open Source y NGINX Plus presentan una vulnerabilidad en el módulo ngx_mail_smtp_module que podría permitir que un atacante no autenticado sobrelea la memoria del proceso de autenticación SMTP de NGINX. Como resultado, el servidor podría filtrar bytes arbitrarios enviados en una solicitud al servidor de autenticación. Este problema ocurre durante el proceso de autenticación SMTP de NGINX y requiere que el atacante realice preparativos en el sistema objetivo para extraer los datos filtrados. El problema afecta a NGINX solo si (1) se compila con el módulo ngx_mail_smtp_module, (2) la directiva smtp_auth está configurada con el método \"none\" y (3) el servidor de autenticación devuelve el encabezado de respuesta \"Auth-Wait\". Nota: Las versiones de software que han alcanzado el fin del soporte técnico (EoTS) no se evalúan."}],"metrics":{"cvssMetricV40":[{"source":"f5sirt@f5.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"f5sirt@f5.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":1.4}]},"weaknesses":[{"source":"f5sirt@f5.com","type":"Secondary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:f5:nginx_plus:r30:-:*:*:*:*:*:*","matchCriteriaId":"96BF2B19-52C7-4051-BA58-CAE6F912B72F"},{"vulnerable":true,"criteria":"cpe:2.3:a:f5:nginx_plus:r31:-:*:*:*:*:*:*","matchCriteriaId":"8248517E-D805-4928-8252-2168472341EF"},{"vulnerable":true,"criteria":"cpe:2.3:a:f5:nginx_plus:r32:-:*:*:*:*:*:*","matchCriteriaId":"36C4308E-651E-437C-84E7-10C542E3ADC2"},{"vulnerable":true,"criteria":"cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*","matchCriteriaId":"FA913184-EAAD-409E-99C6-AB979DAA93F3"},{"vulnerable":true,"criteria":"cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*","matchCriteriaId":"782DF180-1101-4D6A-A1D7-8DADBAF6D9D3"},{"vulnerable":true,"criteria":"cpe:2.3:a:f5:nginx_plus:r33:-:*:*:*:*:*:*","matchCriteriaId":"514B0A2A-E2FD-4DB7-B5B8-5C59F1D60AD8"},{"vulnerable":true,"criteria":"cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*","matchCriteriaId":"46DC49B8-7286-4867-9CDA-1C1B469CD304"},{"vulnerable":true,"criteria":"cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*","matchCriteriaId":"43477C2E-7485-4146-B25C-F58D632CD85B"},{"vulnerable":true,"criteria":"cpe:2.3:a:f5:nginx_plus:r34:-:*:*:*:*:*:*","matchCriteriaId":"25292797-19EC-446B-BB26-FAC7A280F61D"},{"vulnerable":true,"criteria":"cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*","matchCriteriaId":"7453D683-FCA7-46EE-BE49-5FD9A01D7F87"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*","versionStartIncluding":"0.7.22","versionEndExcluding":"1.29.1","matchCriteriaId":"69F418AB-2C97-42AF-9D5F-5F27B7451046"}]}]}],"references":[{"url":"https://my.f5.com/manage/s/article/K000152786","source":"f5sirt@f5.com","tags":["Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2025/08/13/5","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}