Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2025-59045
Awaiting Analysis
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-10 Sep, 2025 | 16:15
Updated At-11 Sep, 2025 | 17:14

Stalwart is a mail and collaboration server. Starting in version 0.12.0 and prior to version 0.13.3, a memory exhaustion vulnerability exists in Stalwart's CalDAV implementation that allows authenticated attackers to cause denial-of-service by triggering unbounded memory consumption through recurring event expansion. An authenticated attacker can crash the Stalwart server by creating recurring events with large payloads and triggering their expansion through CalDAV REPORT requests. A single malicious request expanding 300 events with 1000-character descriptions can consume up to 2 GB of memory. The vulnerability exists in the `ArchivedCalendarEventData.expand` function, which processes CalDAV `REPORT` requests with event expansion. When a client requests recurring events in their expanded form using the `<C:expand>` element, the server stores all expanded event instances in memory without enforcing size limits. Users should upgrade to Stalwart version 0.13.3 or later to receive a fix. If immediate upgrading is not possible, implement memory limits at the container/system level; monitor server memory usage for unusual spikes; consider rate limiting CalDAV REPORT requests; and restrict CalDAV access to trusted users only.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.1HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-770Primarysecurity-advisories@github.com
CWE ID: CWE-770
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/stalwartlabs/stalwart/blob/main/CHANGELOG.mdsecurity-advisories@github.com
N/A
https://github.com/stalwartlabs/stalwart/commit/15762fba2ba335e560b8d25f71af085a8b6b6cf2security-advisories@github.com
N/A
https://github.com/stalwartlabs/stalwart/releases/tag/v0.13.3security-advisories@github.com
N/A
https://github.com/stalwartlabs/stalwart/security/advisories/GHSA-xv4r-q6gr-6pfgsecurity-advisories@github.com
N/A
https://tools.ietf.org/html/rfc4791security-advisories@github.com
N/A
Hyperlink: https://github.com/stalwartlabs/stalwart/blob/main/CHANGELOG.md
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/stalwartlabs/stalwart/commit/15762fba2ba335e560b8d25f71af085a8b6b6cf2
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/stalwartlabs/stalwart/releases/tag/v0.13.3
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/stalwartlabs/stalwart/security/advisories/GHSA-xv4r-q6gr-6pfg
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://tools.ietf.org/html/rfc4791
Source: security-advisories@github.com
Resource: N/A
Change History
0Changes found
Details not found