CVE-2025-30189 — dovecot - security update

Description

When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be used for these users. After cached login, all subsequent logins are for same user. Install fixed version or disable caching either globally or for the impacted passdb/userdb drivers. No publicly available exploits are known.

How to fix CVE-2025-30189

To remediate CVE-2025-30189, upgrade the affected package to a fixed version below.

—upgrade to 2.4.2-r0 or later
—upgrade to 1:2.4.1+dfsg1-6+deb13u1 or later
—upgrade to 1:2.4.1+dfsg1-6+deb13u1 or later

Is CVE-2025-30189 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.4.2-r0
from 0, < 1:2.4.1+dfsg1-6+deb13u1
from 0, < 1:2.4.1+dfsg1-6+deb13u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2025-30189
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-30189