{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-59031", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2025-09-08T14:22:28.105Z", "datePublished": "2026-03-27T08:10:15.956Z", "dateUpdated": "2026-03-27T12:33:21.043Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["core"], "product": "OX Dovecot Pro", "vendor": "Open-Xchange GmbH", "versions": [{"lessThanOrEqual": "2.3.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "cwe"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-03-27T12:33:21.043Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"}], "source": {"defect": "DOV-8584", "discovery": "EXTERNAL"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known."}], "id": "CVE-2025-59031", "lastModified": "2026-03-27T09:16:18.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@open-xchange.com", "type": "Secondary"}]}, "published": "2026-03-27T09:16:18.783", "references": [{"source": "security@open-xchange.com", "url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@open-xchange.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T09:38:31.593846+00:00", "value": {"mitigation_remediation": ["Disable or remove the default attachment conversion script in OX Dovecot Pro.", "Replace the script with a secure alternative, such as the Tika\u2011based FTS solution.", "Verify that no unintended files are being indexed after changes.", "Review the FTS index regularly for unexpected content."], "summary": {"action": "Replace Script", "impact": "Potential data exposure through unauthorized file indexing"}, "threat_synthesis": {"affected_systems": "This issue affects the Open\u2011Xchange GmbH OX Dovecot Pro product. Any installation that includes the default attachment conversion script is potentially impacted. The advisory does not specify version ranges, so all current releases using this script are considered vulnerable.", "description_and_impact": "The vulnerability exists in a script that converts email attachments into plain text for full\u2011text search. The script uncritically processes zip\u2011style attachments, allowing a malicious OOXML document to create arbitrary files on the server. Those files are then indexed by the FTS engine, making them discoverable. This presents an information\u2011exposure risk (CWE\u2011200) because an attacker can cause sensitive files to appear in search results.", "risk_and_exploitability": "The CVSS base score is 4.3, indicating moderate severity. EPSS data is not available and no public exploits are documented. The vulnerability is not in the KEV list. Exploitation requires an attacker to send a specially crafted OOXML attachment that the server processes. The attack vector is therefore internal email handling; it does not provide remote code execution but enables unauthorized file indexing."}}}}, "created": "2026-03-27T09:45:47.801931+00:00", "title": "Unsafe Attachment Conversion Script Allows Unauthorized File Indexing via Crafted OOXML", "updated": "2026-03-27T09:45:47.801989+00:00", "vendors": []}