CVE-2025-61600
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-02

Last updated on: 2025-10-06

Assigner: GitHub, Inc.

Description
Stalwart is a mail and collaboration server. Versions 0.13.3 and below contain an unbounded memory allocation vulnerability in the IMAP protocol parser which allows remote attackers to exhaust server memory, potentially triggering the system's out-of-memory (OOM) killer and causing a denial of service. The CommandParser implementation enforces size limits on its dynamic buffer in most parsing states, but several state handlers omit these validation checks. This issue is fixed in version 0.13.4. A workaround for this issue is to implement rate limiting and connection monitoring at the network level, however this does not provide complete protection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-02
Last Modified
2025-10-06
Generated
2026-06-16
AI Q&A
2025-10-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61600
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
stalwartlabs stalwart 0.13.4
stalwartlabs stalwart 0.13.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Stalwart mail and collaboration server versions 0.13.3 and below. It is an unbounded memory allocation issue in the IMAP protocol parser, where certain parsing states do not enforce size limits on dynamic buffers. This allows remote attackers to cause the server to allocate excessive memory, potentially exhausting system memory and triggering the out-of-memory (OOM) killer, leading to a denial of service.

Impact Analysis

The vulnerability can impact you by allowing remote attackers to exhaust the server's memory resources, causing the system to run out of memory and potentially crash or become unresponsive. This results in a denial of service, disrupting mail and collaboration services provided by the Stalwart server.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Stalwart to version 0.13.4 or later where the issue is fixed. As a workaround, implement rate limiting and connection monitoring at the network level to reduce the risk of exploitation, although this does not provide complete protection.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61600. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart