CVE-2025-59045

HIGH EPSS 23.6%
Published Sep 10, 20259mo ago · Modified Jun 17, 20262w ago
7.1 CVSS 4.0
High
Find Similar
Published Sep 10, 2025 9mo ago
Last Modified Jun 17, 2026 2w ago

Description

Stalwart is a mail and collaboration server. Starting in version 0.12.0 and prior to version 0.13.3, a memory exhaustion vulnerability exists in Stalwart's CalDAV implementation that allows authenticated attackers to cause denial-of-service by triggering unbounded memory consumption through recurring event expansion. An authenticated attacker can crash the Stalwart server by creating recurring events with large payloads and triggering their expansion through CalDAV REPORT requests. A single malicious request expanding 300 events with 1000-character descriptions can consume up to 2 GB of memory. The vulnerability exists in the `ArchivedCalendarEventData.expand` function, which processes CalDAV `REPORT` requests with event expansion. When a client requests recurring events in their expanded form using the `<C:expand>` element, the server stores all expanded event instances in memory without enforcing size limits. Users should upgrade to Stalwart version 0.13.3 or later to receive a fix. If immediate upgrading is not possible, implement memory limits at the container/system level; monitor server memory usage for unusual spikes; consider rate limiting CalDAV REPORT requests; and restrict CalDAV access to trusted users only.

CVSS Details

Base Score
7.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
23.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-770

References 5

  • github.com https://github.com/stalwartlabs/stalwart/blob/main/CHANGELOG.md
  • github.com https://github.com/stalwartlabs/stalwart/commit/15762fba2ba335e560b8d25f71af085a8b6b6cf2
  • github.com https://github.com/stalwartlabs/stalwart/releases/tag/v0.13.3
  • github.com https://github.com/stalwartlabs/stalwart/security/advisories/GHSA-xv4r-q6gr-6pfg
  • tools.ietf.org https://tools.ietf.org/html/rfc4791

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.