diff --git a/CHANGELOG b/CHANGELOG
index 3a6ceb1a0..c5e0ed9b7 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE][GH#596] Fix a bug in mysql.lua that caused authentication failures in
+  mysql-brute and other scripts due to including a null terminator in the salt
+  value. This bug affects Nmap 7.25BETA2 and later releases.  [Daniel Miller]
+
 o The --open option now implies --defeat-rst-ratelimit. This may result in
   inaccuracies in the numbers of "Not shown:" closed and filtered ports, but
   only in situations where it also speeds up scan times. [Daniel Miller]
diff --git a/nselib/mysql.lua b/nselib/mysql.lua
index 355af1842..b52580a31 100644
--- a/nselib/mysql.lua
+++ b/nselib/mysql.lua
@@ -149,7 +149,7 @@ function receiveGreeting( socket )
         stdnse.debug2("reserved bytes are not nulls")
       end
       if response.capabilities & Capabilities.Support41Auth > 0 then
-        pos, tmp = bin.unpack("A" .. math.max(13, auth_plugin_len - 8), data, pos)
+        pos, tmp, _ = bin.unpack("A" .. (math.max(13, auth_plugin_len - 8) - 1) .. "x", data, pos)
         response.salt = response.salt .. tmp
       end
       if response.extcapabilities & ExtCapabilities.SupportsAuthPlugins > 0 then