DEBIAN-CVE-2025-59028

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2025-59028
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-59028.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-59028
Upstream
  • CVE-2025-59028
Published
2026-03-27T09:16:18.620Z
Modified
2026-05-01T09:00:12.937299Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or disable concurrency in login processes (heavy perfomance penalty on large deployments). No publicly available exploits are known.

References

Affected packages

Debian:13 / dovecot

Package

Name
dovecot
Purl
pkg:deb/debian/dovecot?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:2.4.1+dfsg1-6+deb13u4

Affected versions

1:2.*
1:2.4.1+dfsg1-6
1:2.4.1+dfsg1-6+deb13u1
1:2.4.1+dfsg1-6+deb13u2
1:2.4.1+dfsg1-6+deb13u3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-59028.json"

Debian:14 / dovecot

Package

Name
dovecot
Purl
pkg:deb/debian/dovecot?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:2.4.3+dfsg1-1

Affected versions

1:2.*
1:2.4.1+dfsg1-6
1:2.4.1+dfsg1-7
1:2.4.1+dfsg1-8
1:2.4.1+dfsg1-9
1:2.4.2+dfsg1-1
1:2.4.2+dfsg1-2
1:2.4.2+dfsg1-3
1:2.4.2+dfsg1-4

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-59028.json"