CVE-2025-30189: Dovecot IMAP Server: Using auth caching causes the first lookup to be cached for all lookups

[Camelia Lavender <cam () camelia dev>]

-------- Original Message --------
From: Aki Tuomi via Dovecot-news <dovecot-news () dovecot org>
Sent: October 29, 2025 8:22:46 AM UTC
To: "dovecot () dovecot org" <dovecot () dovecot org>, "dovecot-news () dovecot org" <dovecot-news () dovecot org>
Subject: [Dovecot-news] CVE-2025-30189 notification

Affected product: Dovecot IMAP Server
Internal reference: DOV-7830
Vulnerability type: CWE-1250 (Improper Preservation of Consistency Between Independent Representations of Shared State)
Vulnerable version: 2.4.0, 2.4.1
Vulnerable component: auth
Report confidence: Confirmed
Solution status: Fixed in 2.4.2
Researcher credits: Erik <erik () broadlux com>
Vendor notification: 2025-07-25
CVE reference: CVE-2025-30189
CVSS: 7.4 (CVSS3.1:AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Vulnerability Details:
Using auth caching with oauth2 passdb, passwd passdb or userdb, or passwd userdb, causes the first lookup to be cached 
for all the lookups. This is because the cache key is "%u" which no longer actually expands to same as "%{user}".

Workaround:
Disabling auth cache will prevent the issue.

Fix
Install non-vulnerable version of Dovecot. Patch can be found at 
https://github.com/dovecot/core/compare/a70ce7d3e2f983979e971414c5892c4e30197231%5E...34caed79b76a7b82a2a9c94cf35371bec6c2b826.patch