AZL-66308

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-66308.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-66308

Upstream

CVE-2025-53859

Published

2025-08-13T15:15:37Z

Modified

2026-04-01T05:20:56.799851Z

Summary

CVE-2025-53859 affecting package nginx for versions less than 1.22.1-14

Details

NGINX Open Source and NGINX Plus have a vulnerability in the ngxmailsmtpmodule that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngxmailsmtpmodule, (2) the smtp_auth directive is configured with method "none," and (3) the authentication server returns the "Auth-Wait" response header.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-53859

Affected packages

Azure Linux:2 / nginx

Package

Name: nginx
Purl: pkg:rpm/azure-linux/nginx

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.22.1-14

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-66308.json"