CVE-2025-59045 (GCVE-0-2025-59045)
Vulnerability from cvelistv5
Published
2025-09-10 16:09
Modified
2025-09-11 13:28
Severity ?
7.1 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
Stalwart is a mail and collaboration server. Starting in version 0.12.0 and prior to version 0.13.3, a memory exhaustion vulnerability exists in Stalwart's CalDAV implementation that allows authenticated attackers to cause denial-of-service by triggering unbounded memory consumption through recurring event expansion. An authenticated attacker can crash the Stalwart server by creating recurring events with large payloads and triggering their expansion through CalDAV REPORT requests. A single malicious request expanding 300 events with 1000-character descriptions can consume up to 2 GB of memory. The vulnerability exists in the `ArchivedCalendarEventData.expand` function, which processes CalDAV `REPORT` requests with event expansion. When a client requests recurring events in their expanded form using the `<C:expand>` element, the server stores all expanded event instances in memory without enforcing size limits. Users should upgrade to Stalwart version 0.13.3 or later to receive a fix. If immediate upgrading is not possible, implement memory limits at the container/system level; monitor server memory usage for unusual spikes; consider rate limiting CalDAV REPORT requests; and restrict CalDAV access to trusted users only.
References
Impacted products
Vendor Product Version
stalwartlabs stalwart Version: >= 0.12.0, < 0.13.3
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-59045",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-11T13:28:40.366420Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-11T13:28:45.110Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "stalwart",
          "vendor": "stalwartlabs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.12.0, \u003c 0.13.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Stalwart is a mail and collaboration server. Starting in version 0.12.0 and prior to version 0.13.3, a memory exhaustion vulnerability exists in Stalwart\u0027s CalDAV implementation that allows authenticated attackers to cause denial-of-service by triggering unbounded memory consumption through recurring event expansion. An authenticated attacker can crash the Stalwart server by creating recurring events with large payloads and triggering their expansion through CalDAV REPORT requests. A single malicious request expanding 300 events with 1000-character descriptions can consume up to 2 GB of memory. The vulnerability exists in the `ArchivedCalendarEventData.expand` function, which processes CalDAV `REPORT` requests with event expansion. When a client requests recurring events in their expanded form using the `\u003cC:expand\u003e` element, the server stores all expanded event instances in memory without enforcing size limits. Users should upgrade to Stalwart version 0.13.3 or later to receive a fix. If immediate upgrading is not possible, implement memory limits at the container/system level; monitor server memory usage for unusual spikes; consider rate limiting CalDAV REPORT requests; and restrict CalDAV access to trusted users only."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-10T16:09:49.485Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/stalwartlabs/stalwart/security/advisories/GHSA-xv4r-q6gr-6pfg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/stalwartlabs/stalwart/security/advisories/GHSA-xv4r-q6gr-6pfg"
        },
        {
          "name": "https://github.com/stalwartlabs/stalwart/commit/15762fba2ba335e560b8d25f71af085a8b6b6cf2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/stalwartlabs/stalwart/commit/15762fba2ba335e560b8d25f71af085a8b6b6cf2"
        },
        {
          "name": "https://github.com/stalwartlabs/stalwart/blob/main/CHANGELOG.md",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/stalwartlabs/stalwart/blob/main/CHANGELOG.md"
        },
        {
          "name": "https://github.com/stalwartlabs/stalwart/releases/tag/v0.13.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/stalwartlabs/stalwart/releases/tag/v0.13.3"
        },
        {
          "name": "https://tools.ietf.org/html/rfc4791",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://tools.ietf.org/html/rfc4791"
        }
      ],
      "source": {
        "advisory": "GHSA-xv4r-q6gr-6pfg",
        "discovery": "UNKNOWN"
      },
      "title": "Stalwart vulnerable to Memory Exhaustion via CalDAV Event Expansion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-59045",
    "datePublished": "2025-09-10T16:09:49.485Z",
    "dateReserved": "2025-09-08T16:19:26.172Z",
    "dateUpdated": "2025-09-11T13:28:45.110Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-59045\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-11T13:28:40.366420Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-11T13:28:43.039Z\"}}], \"cna\": {\"title\": \"Stalwart vulnerable to Memory Exhaustion via CalDAV Event Expansion\", \"source\": {\"advisory\": \"GHSA-xv4r-q6gr-6pfg\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"stalwartlabs\", \"product\": \"stalwart\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.12.0, \u003c 0.13.3\"}]}], \"references\": [{\"url\": \"https://github.com/stalwartlabs/stalwart/security/advisories/GHSA-xv4r-q6gr-6pfg\", \"name\": \"https://github.com/stalwartlabs/stalwart/security/advisories/GHSA-xv4r-q6gr-6pfg\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/stalwartlabs/stalwart/commit/15762fba2ba335e560b8d25f71af085a8b6b6cf2\", \"name\": \"https://github.com/stalwartlabs/stalwart/commit/15762fba2ba335e560b8d25f71af085a8b6b6cf2\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/stalwartlabs/stalwart/blob/main/CHANGELOG.md\", \"name\": \"https://github.com/stalwartlabs/stalwart/blob/main/CHANGELOG.md\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/stalwartlabs/stalwart/releases/tag/v0.13.3\", \"name\": \"https://github.com/stalwartlabs/stalwart/releases/tag/v0.13.3\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://tools.ietf.org/html/rfc4791\", \"name\": \"https://tools.ietf.org/html/rfc4791\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Stalwart is a mail and collaboration server. Starting in version 0.12.0 and prior to version 0.13.3, a memory exhaustion vulnerability exists in Stalwart\u0027s CalDAV implementation that allows authenticated attackers to cause denial-of-service by triggering unbounded memory consumption through recurring event expansion. An authenticated attacker can crash the Stalwart server by creating recurring events with large payloads and triggering their expansion through CalDAV REPORT requests. A single malicious request expanding 300 events with 1000-character descriptions can consume up to 2 GB of memory. The vulnerability exists in the `ArchivedCalendarEventData.expand` function, which processes CalDAV `REPORT` requests with event expansion. When a client requests recurring events in their expanded form using the `\u003cC:expand\u003e` element, the server stores all expanded event instances in memory without enforcing size limits. Users should upgrade to Stalwart version 0.13.3 or later to receive a fix. If immediate upgrading is not possible, implement memory limits at the container/system level; monitor server memory usage for unusual spikes; consider rate limiting CalDAV REPORT requests; and restrict CalDAV access to trusted users only.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-09-10T16:09:49.485Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-59045\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-11T13:28:45.110Z\", \"dateReserved\": \"2025-09-08T16:19:26.172Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-09-10T16:09:49.485Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.