csaf_certbund - wid-sec-w-2025-1817

WID-SEC-W-2025-1817

Vulnerability from csaf_certbund - Published: 2025-08-13 22:00 - Updated: 2025-10-01 22:00

Summary

NGINX: Schwachstelle ermöglicht Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

NGINX ist eine Webserver-, Reverse Proxy- und E-Mail-Proxy Software. NGINX Plus ist die kommerzielle Variante von NGINX, einer Webserver-, Reverse Proxy- und E-Mail Proxy Software.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in NGINX und NGINX NGINX Plus ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "niedrig"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "NGINX ist eine Webserver-, Reverse Proxy- und E-Mail-Proxy Software.\r\nNGINX Plus ist die kommerzielle Variante von NGINX, einer Webserver-, Reverse Proxy- und E-Mail Proxy Software.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in NGINX und NGINX NGINX Plus ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1817 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1817.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1817 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1817"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory K000152786 vom 2025-08-13",
        "url": "https://my.f5.com/manage/s/article/K000152786"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker #2388238 vom 2025-08-13",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388238"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:15450-1 vom 2025-08-16",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XOJA3M7XBK43KBYHINPYOYFJRABKA6XN/"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2NGINX1-2025-009 vom 2025-08-19",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2NGINX1-2025-009.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7715-1 vom 2025-08-25",
        "url": "https://ubuntu.com/security/notices/USN-7715-1"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:03089-1 vom 2025-09-05",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-September/022395.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:03243-1 vom 2025-09-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-September/022554.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:03444-1 vom 2025-10-01",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6JIB47EAYRUZ4F35CJEO6OJ2ZG4MJDRC/"
      }
    ],
    "source_lang": "en-US",
    "title": "NGINX: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2025-10-01T22:00:00.000+00:00",
      "generator": {
        "date": "2025-10-02T08:18:56.262+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2025-1817",
      "initial_release_date": "2025-08-13T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-08-13T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-08-17T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2025-08-19T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2025-08-25T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2025-09-07T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2025-09-17T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2025-10-01T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von SUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "7"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "0.7 \u003c1.29.1",
                "product": {
                  "name": "NGINX NGINX 0.7 \u003c1.29.1",
                  "product_id": "T046195"
                }
              },
              {
                "category": "product_version",
                "name": "0.7 1.29.1",
                "product": {
                  "name": "NGINX NGINX 0.7 1.29.1",
                  "product_id": "T046195-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nginx:nginx:1.29.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "NGINX"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "R30",
                "product": {
                  "name": "NGINX NGINX Plus R30",
                  "product_id": "T046196",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nginx:nginx_plus:r30"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "R31",
                "product": {
                  "name": "NGINX NGINX Plus R31",
                  "product_id": "T046197",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nginx:nginx_plus:r31"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "R33 \u003cR33 P3",
                "product": {
                  "name": "NGINX NGINX Plus R33 \u003cR33 P3",
                  "product_id": "T046198"
                }
              },
              {
                "category": "product_version",
                "name": "R33 R33 P3",
                "product": {
                  "name": "NGINX NGINX Plus R33 R33 P3",
                  "product_id": "T046198-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nginx:nginx_plus:r33_p3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "R32 \u003cR32 P3",
                "product": {
                  "name": "NGINX NGINX Plus R32 \u003cR32 P3",
                  "product_id": "T046199"
                }
              },
              {
                "category": "product_version",
                "name": "R32 R32 P3",
                "product": {
                  "name": "NGINX NGINX Plus R32 R32 P3",
                  "product_id": "T046199-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nginx:nginx_plus:r32_p3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "R34 \u003cR34 P2",
                "product": {
                  "name": "NGINX NGINX Plus R34 \u003cR34 P2",
                  "product_id": "T046200"
                }
              },
              {
                "category": "product_version",
                "name": "R34 R34 P2",
                "product": {
                  "name": "NGINX NGINX Plus R34 R34 P2",
                  "product_id": "T046200-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nginx:nginx_plus:r34_p2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "NGINX Plus"
          }
        ],
        "category": "vendor",
        "name": "NGINX"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-53859",
      "product_status": {
        "known_affected": [
          "T002207",
          "T046195",
          "T000126",
          "T027843",
          "T046198",
          "T046199",
          "398363",
          "T046196",
          "T046197",
          "T046200"
        ]
      },
      "release_date": "2025-08-13T22:00:00.000+00:00",
      "title": "CVE-2025-53859"
    }
  ]
}

CVE-2025-53859 (GCVE-0-2025-53859)

Vulnerability from cvelistv5 – Published: 2025-08-13 14:46 – Updated: 2025-11-04 21:12

Title

NGINX ngx_mail_smtp_module vulnerability

Summary

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method "none," and (3) the authentication server returns the "Auth-Wait" response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-125 - Out-of-bounds Read

Assigner

References

URL

Tags

https://my.f5.com/manage/s/article/K000152786

vendor-advisory

Impacted products

Vendor

Product

Version

NGINX Plus

Unaffected: R35 (custom)
Affected: R34 , < R34 P2 (custom)
Affected: R33 , < R33 P3 (custom)
Affected: R32 , < R32 P3 (custom)
Affected: R31 , < * (custom)
Affected: R30 , < * (custom)

NGINX Open Source

Affected: 0.7 , < 1.29.1 (custom)

Credits

F5 acknowledges the Amazon Web Services Security team for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53859",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-13T15:06:23.895538Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-13T15:14:55.021Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:12:39.856Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/08/13/5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_mail_smtp_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "status": "unaffected",
              "version": "R35",
              "versionType": "custom"
            },
            {
              "lessThan": "R34 P2",
              "status": "affected",
              "version": "R34",
              "versionType": "custom"
            },
            {
              "lessThan": "R33 P3",
              "status": "affected",
              "version": "R33",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P3",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R31",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R30",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_mail_smtp_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "1.29.1",
              "status": "affected",
              "version": "0.7",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "F5 acknowledges the Amazon Web Services Security team for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2025-08-13T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method \"none,\" and (3) the authentication server returns the \"Auth-Wait\" response header.\n\n\n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method \"none,\" and (3) the authentication server returns the \"Auth-Wait\" response header.\n\n\n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125 Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-13T14:46:55.471Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://my.f5.com/manage/s/article/K000152786"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_mail_smtp_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2025-53859",
    "datePublished": "2025-08-13T14:46:55.471Z",
    "dateReserved": "2025-07-29T17:12:25.039Z",
    "dateUpdated": "2025-11-04T21:12:39.856Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2025-1817

CVE-2025-53859 (GCVE-0-2025-53859)

Tags

Sightings

Nomenclature