CVE-2025-53603: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-53603 affects Alinto SOPE SOGo versions 2.0.2 through 5.12.2. The vulnerability was discovered in July 2025 and involves a NULL pointer dereference in the sope-core/NGExtensions/NGHashMap.m component that can lead to a SOGo crash. The issue occurs when a parameter in the query string is a duplicate of a parameter in the POST body (OSS Security, NVD).

The vulnerability exists in the NGHashMap.m file where the root->last pointer is not properly maintained across all methods. The issue occurs because only the -[NGMutableHashMap addObjects:count:forKey:] function maintains the root->last pointer, while other functions in the file don't handle it. When SOPE request handling parses the POST body for formParameters, clones the NGHashMap (where copied nodes have last == NULL), and then merges query string parameters, a NULL pointer dereference occurs if there is a duplicate key. The vulnerability has a CVSS v3.1 base score of 7.5 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (OSS Security, GitHub PR).

When successfully exploited, this vulnerability results in a denial of service condition through a SOGo crash. The impact is limited to availability with no direct effect on confidentiality or integrity of the system (NVD).

A patch has been submitted that maintains the last pointer properly across all methods. The fix involves updating the linked-list implementation to ensure consistent handling of the root->last pointer. Long-term recommendations include replacing the current linked-list implementation with a properly tested library (GitHub PR).