2452174 – (CVE-2025-59031) CVE-2025-59031 dovecot: Dovecot: Information disclosure via specially crafted OOXML documents

Bug 2452174 (CVE-2025-59031) - CVE-2025-59031 dovecot: Dovecot: Information disclosure via specially crafted OOXML documents

Summary: CVE-2025-59031 dovecot: Dovecot: Information disclosure via specially crafted...

Keywords:
Status:	NEW
Alias:	CVE-2025-59031
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-27 09:02 UTC by OSIDB Bzimport
Modified:	2026-03-27 14:48 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-27 09:02:05 UTC

Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.

Note You need to log in before you can comment on or make changes to this bug.