EUVD-2025-209090
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4Description
Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.
Analysis
Dovecot's text conversion script for OOXML attachments unsafely processes zip-style files, allowing authenticated attackers to index unintended system files and contaminate full-text search indexes with sensitive content. Open-Xchange Dovecot Pro is affected. The vulnerability results in information disclosure (CWE-200) with a CVSS score of 4.3 and requires prior authentication; no public exploit identified at time of analysis.
Technical Context
Dovecot provides a script designed to convert attached documents to plaintext for full-text search (FTS) indexing. The script improperly handles OOXML documents, which are actually ZIP archives containing XML files. An attacker can craft a malicious OOXML file with directory traversal or symbolic link entries that cause the extraction process to access arbitrary files on the system outside the intended attachment scope. This violates the CWE-200 (Information Exposure) classification because unintended file contents become indexed and accessible through FTS mechanisms. The affected product is identified via CPE cpe:2.3:a:open-xchange_gmbh:ox_dovecot_pro:*:*:*:*:*:*:*:* indicating all versions of OX Dovecot Pro may be vulnerable if the unsafe script is deployed.
Affected Products
Open-Xchange Dovecot Pro all versions are affected when the provided text conversion script is deployed for attachment processing (CPE: cpe:2.3:a:open-xchange_gmbh:ox_dovecot_pro:*:*:*:*:*:*:*:*). The vulnerability advisory is available at https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json per OX's official disclosure.
Remediation
Do not use the provided Dovecot attachment-to-text conversion script. Instead, deploy alternative FTS solutions such as FTS Tika, which includes proper safeguards for ZIP archive extraction and does not suffer from unsafe file access during OOXML processing. Organizations currently using the vulnerable script should immediately replace it or disable script-based attachment indexing and switch to Tika or equivalent. Review FTS indexes already created with the unsafe script for potential exposure of sensitive files and consider re-indexing with a secure solution. Consult the vendor advisory at https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json for configuration guidance on migrating to Tika or other compliant FTS backends.
Priority Score
Vendor Status
Ubuntu
Priority: Low| Release | Status | Version |
|---|---|---|
| trusty | needed | - |
| xenial | needed | - |
| bionic | needed | - |
| focal | needed | - |
| jammy | needed | - |
| noble | needed | - |
| questing | needed | - |
| upstream | released | 2.4.3 |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 1:2.3.13+dfsg1-2+deb11u1 | - |
| bullseye (security) | vulnerable | 1:2.3.13+dfsg1-2+deb11u2 | - |
| bookworm, bookworm (security) | vulnerable | 1:2.3.19.1+dfsg1-2.1+deb12u1 | - |
| trixie | vulnerable | 1:2.4.1+dfsg1-6+deb13u3 | - |
| trixie (security) | vulnerable | 1:2.4.1+dfsg1-6+deb13u1 | - |
| forky, sid | vulnerable | 1:2.4.2+dfsg1-4 | - |
| (unstable) | fixed | (unfixed) | unimportant |
Share
External POC / Exploit Code
Leaving vuln.today