The Dovecot team has issued a security advisory for a vulnerability affecting versions 2.4.0 and 2.4.1 of the popular open-source IMAP server. The flaw, identified as CVE-2025-30189, could allow unauthorized access to user accounts under specific configurations.
The vulnerability, rated at 7.4 out of 10 on the Common Vulnerability Scoring System (CVSS), is categorized as high severity. The attack vector is network-based with high attack complexity, requiring no privileges or user interaction. While there’s no impact to availability, both confidentiality and integrity are rated as high impact.
The issue stems from an authentication caching problem that affects systems using OAuth2 or passwd-based authentication methods. When auth caching is enabled with these configurations, the server incorrectly caches the first authentication lookup and applies it to all subsequent lookups.
The root cause is a cache key expansion issue where the placeholder “%u” no longer properly expands to match “%{user}”, resulting in authentication data being incorrectly shared across different user sessions.
Affected Versions
Organizations running Dovecot versions 2.4.0 or 2.4.1 with the following configurations are vulnerable:
OAuth2 passdb with auth caching enabled
passwd passdb or userdb with auth caching enabled
If your deployment uses auth caching with any of these authentication methods, immediate action is recommended.
Recommended Actions
As a temporary workaround, system administrators can immediately mitigate the risk by disabling auth caching in their Dovecot configuration. While this may impact performance, it prevents the vulnerability from being exploited.
Given the high severity rating and the potential for unauthorized account access, organizations using affected versions should:
- Assess Your Configuration – Determine whether your Dovecot deployment uses auth caching with OAuth2 passdb, passwd passdb, or passwd userdb.
- Permanent Fix – The Dovecot team has released version 2.4.2, which resolves the issue. Administrators should upgrade to this version as soon as possible. The patch is available on the project’s GitHub repository for those who need to review or manually apply the changes.
- Post-Mitigation Review – Review authentication logs for any suspicious activity that may have occurred while the vulnerability was present.
For more technical details and access to the security patch, Visit the official Dovecot announcement for more technical details and access to the security patch.
Leave a Reply