Vulnerability Description
In Alinto SOPE SOGo 2.0.2 through 5.12.2, sope-core/NGExtensions/NGHashMap.m allows a NULL pointer dereference and SOGo crash via a request in which a parameter in the query string is a duplicate of a parameter in the POST body.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/Alinto/sope/blob/3146fbdb6ff3314e37e5c3682deeeef7d0f32064/sop
- https://github.com/Alinto/sope/commit/280104e45c20519ac4849ebf8bca114d91383543
- https://github.com/Alinto/sope/compare/SOGo-2.0.1...SOGo-2.0.2
- https://github.com/Alinto/sope/pull/69
- https://www.openwall.com/lists/oss-security/2025/07/02/3
- http://www.openwall.com/lists/oss-security/2025/07/05/1
- https://lists.debian.org/debian-lts-announce/2025/08/msg00001.html
- https://www.openwall.com/lists/oss-security/2025/07/02/3
FAQ
What is CVE-2025-53603?
CVE-2025-53603 is a vulnerability with a CVSS score of 7.5 (HIGH). In Alinto SOPE SOGo 2.0.2 through 5.12.2, sope-core/NGExtensions/NGHashMap.m allows a NULL pointer dereference and SOGo crash via a request in which a parameter in the query string is a duplicate of a...
How severe is CVE-2025-53603?
CVE-2025-53603 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-53603?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.