CVE Tools
Sign in

CVE-2025-53859

NGINX ngx_mail_smtp_module vulnerability

Published: Aug 13, 2025Updated: Nov 4, 2025 Sources: CVE List NVD BDUCWE-125
NVD MITRE
3.7CVSSLOW
EPSS Score
0.4%
Top 71.3%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method "none," and (3) the authentication server returns the "Auth-Wait" response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Vector Breakdown

AV:NAC:HPR:NUI:NS:UC:LI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:HAttack Complexity
High
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:LConfidentiality
Low
I:NIntegrity
None
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-125

Affected Products

АЛЬТ СП 10АО «ИВК»
On-premOS
Operating Systems / linux-distro
NGINX PlusNGINX Inc.Networking Infrastructure
NGINX Open SourceNGINX Inc.Networking Infrastructure
AngieООО "Веб-Сервер"
On-prem
Networking Infrastructure / load-balancer-proxy
Angie PROООО "Веб-Сервер"
On-prem
Networking Infrastructure / load-balancer-proxy
ао «ивк»commercialRUOperating Systemsaka ivk
nginx inc.commercialUSNetworking Infrastructureaka nginx, nginx plus, njs
ооо "веб-сервер"commercialRUNetworking Infrastructureaka angie, angie pro, angie adc
and 8 more affected products View all →

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available

MITRE ATT&CK

1 technique
Collection
View detailed technique mapping

References

https://www.cve.org/CVERecord?id=CVE-2025-53859
cve.org
https://angie.software/angie/docs/oss_changes/#angie-1-8-2
angie.software
https://angie.software/angie/docs/pro_changes/#angie-pro-1-8-2
angie.software
and 6 more references View all →

Timeline

Published
Aug 13, 2025
Last Updated
Nov 4, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-53859 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows