FKIE_CVE-2025-59045

Vulnerability from fkie_nvd - Published: 2025-09-10 16:15 - Updated: 2025-09-11 17:14
Severity ?
7.1 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Summary
Stalwart is a mail and collaboration server. Starting in version 0.12.0 and prior to version 0.13.3, a memory exhaustion vulnerability exists in Stalwart's CalDAV implementation that allows authenticated attackers to cause denial-of-service by triggering unbounded memory consumption through recurring event expansion. An authenticated attacker can crash the Stalwart server by creating recurring events with large payloads and triggering their expansion through CalDAV REPORT requests. A single malicious request expanding 300 events with 1000-character descriptions can consume up to 2 GB of memory. The vulnerability exists in the `ArchivedCalendarEventData.expand` function, which processes CalDAV `REPORT` requests with event expansion. When a client requests recurring events in their expanded form using the `<C:expand>` element, the server stores all expanded event instances in memory without enforcing size limits. Users should upgrade to Stalwart version 0.13.3 or later to receive a fix. If immediate upgrading is not possible, implement memory limits at the container/system level; monitor server memory usage for unusual spikes; consider rate limiting CalDAV REPORT requests; and restrict CalDAV access to trusted users only.
References
security-advisories@github.comhttps://github.com/stalwartlabs/stalwart/blob/main/CHANGELOG.md
security-advisories@github.comhttps://github.com/stalwartlabs/stalwart/commit/15762fba2ba335e560b8d25f71af085a8b6b6cf2
security-advisories@github.comhttps://github.com/stalwartlabs/stalwart/releases/tag/v0.13.3
security-advisories@github.comhttps://github.com/stalwartlabs/stalwart/security/advisories/GHSA-xv4r-q6gr-6pfg
security-advisories@github.comhttps://tools.ietf.org/html/rfc4791
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Stalwart is a mail and collaboration server. Starting in version 0.12.0 and prior to version 0.13.3, a memory exhaustion vulnerability exists in Stalwart\u0027s CalDAV implementation that allows authenticated attackers to cause denial-of-service by triggering unbounded memory consumption through recurring event expansion. An authenticated attacker can crash the Stalwart server by creating recurring events with large payloads and triggering their expansion through CalDAV REPORT requests. A single malicious request expanding 300 events with 1000-character descriptions can consume up to 2 GB of memory. The vulnerability exists in the `ArchivedCalendarEventData.expand` function, which processes CalDAV `REPORT` requests with event expansion. When a client requests recurring events in their expanded form using the `\u003cC:expand\u003e` element, the server stores all expanded event instances in memory without enforcing size limits. Users should upgrade to Stalwart version 0.13.3 or later to receive a fix. If immediate upgrading is not possible, implement memory limits at the container/system level; monitor server memory usage for unusual spikes; consider rate limiting CalDAV REPORT requests; and restrict CalDAV access to trusted users only."
    },
    {
      "lang": "es",
      "value": "Stalwart es un servidor de correo y colaboraci\u00f3n. A partir de la versi\u00f3n 0.12.0 y anterior a la versi\u00f3n 0.13.3, existe una vulnerabilidad de agotamiento de memoria en la implementaci\u00f3n CalDAV de Stalwart que permite a atacantes autenticados causar denegaci\u00f3n de servicio al desencadenar un consumo de memoria ilimitado mediante la expansi\u00f3n de eventos recurrentes. Un atacante autenticado puede bloquear el servidor Stalwart creando eventos recurrentes con grandes cargas \u00fatiles y desencadenando su expansi\u00f3n a trav\u00e9s de solicitudes CalDAV REPORT. Una \u00fanica solicitud maliciosa que expanda 300 eventos con descripciones de 1000 caracteres puede consumir hasta 2 GB de memoria. La vulnerabilidad existe en la funci\u00f3n \u0027ArchivedCalendarEventData.expand\u0027, que procesa las solicitudes CalDAV \u0027REPORT\u0027 con expansi\u00f3n de eventos. Cuando un cliente solicita eventos recurrentes en su forma expandida utilizando el elemento \u0027C:expand\u0027, el servidor almacena todas las instancias de eventos expandidos en memoria sin aplicar l\u00edmites de tama\u00f1o. Los usuarios deben actualizar a la versi\u00f3n 0.13.3 de Stalwart o posterior para recibir una soluci\u00f3n. Si la actualizaci\u00f3n inmediata no es posible, implemente l\u00edmites de memoria a nivel de contenedor/sistema; monitoree el uso de memoria del servidor en busca de picos inusuales; considere limitar la tasa de solicitudes CalDAV REPORT; y restrinja el acceso CalDAV solo a usuarios de confianza."
    }
  ],
  "id": "CVE-2025-59045",
  "lastModified": "2025-09-11T17:14:10.147",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-10T16:15:41.737",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/stalwartlabs/stalwart/blob/main/CHANGELOG.md"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/stalwartlabs/stalwart/commit/15762fba2ba335e560b8d25f71af085a8b6b6cf2"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/stalwartlabs/stalwart/releases/tag/v0.13.3"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/stalwartlabs/stalwart/security/advisories/GHSA-xv4r-q6gr-6pfg"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://tools.ietf.org/html/rfc4791"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.