When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be used for these users. After cached login, all subsequent logins are for same user. Install fixed version or disable caching either globally or for the impacted passdb/userdb drivers. No publicly available exploits are known.
PUBLISHED5.2CWE-1250
Problem type
Affected products
Open-Xchange GmbH
OX Dovecot Pro
<= 2.4.0 - AFFECTED
References
GitHub Security Advisories
GHSA-396v-898v-98hg
When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key...
https://github.com/advisories/GHSA-396v-898v-98hgWhen cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be used for these users. After cached login, all subsequent logins are for same user. Install fixed version or disable caching either globally or for the impacted passdb/userdb drivers. No publicly available exploits are known.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2025-30189
documentation.open-xchange.com
https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2025/oxdc-adv-2025-0001.json
seclists.org
http://seclists.org/fulldisclosure/2025/Oct/29
github.com
https://github.com/advisories/GHSA-396v-898v-98hg
JSON source
Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2025-30189",
"assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
"assignerShortName": "OX",
"dateUpdated": "2025-10-31T18:37:37.432Z",
"dateReserved": "2025-03-18T08:39:46.884Z",
"datePublished": "2025-10-31T09:02:33.273Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
"shortName": "OX",
"dateUpdated": "2025-10-31T09:24:53.340Z"
},
"descriptions": [
{
"lang": "en",
"value": "When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be used for these users. After cached login, all subsequent logins are for same user. Install fixed version or disable caching either globally or for the impacted passdb/userdb drivers. No publicly available exploits are known."
}
],
"affected": [
{
"vendor": "Open-Xchange GmbH",
"product": "OX Dovecot Pro",
"modules": [
"core"
],
"defaultStatus": "unaffected",
"versions": [
{
"version": "0",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "2.4.0"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Improper Preservation of Consistency Between Independent Representations of Shared State",
"cweId": "CWE-1250",
"type": "cwe"
}
]
}
],
"references": [
{
"url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2025/oxdc-adv-2025-0001.json",
"tags": [
"vendor-advisory"
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
],
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH"
}
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE",
"dateUpdated": "2025-10-31T09:05:26.080Z"
},
"title": "CVE Program Container",
"references": [
{
"url": "http://seclists.org/fulldisclosure/2025/Oct/29"
}
]
},
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2025-10-31T18:37:37.432Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}