CVE-2025-53603

Name of the Vulnerable Software and Affected Versions Alinto SOPE SOGo versions 2.0.2 through 5.12.2

Description This issue involves a NULL pointer dereference in sope-core/NGExtensions/NGHashMap.m that can lead to a crash of the SOGo application. The vulnerability occurs when a request contains a parameter in the query string that duplicates a parameter in the POST body. Approximately 30,000 installations of SOGo are tracked in the Russian internet space, with an estimated 98% being vulnerable. While mass exploitation has not been observed, the vulnerability allows for remote, unauthenticated denial-of-service attacks.

Recommendations Update SOGo to version 5.12.3 or later to resolve this issue. Restart the service to reset active sessions.