CVE intelligence and bounded remediation

CVE-2025-59045 — Stalwart is a mail and collaboration server

High CVSS 7.1

Stalwart is a mail and collaboration server. Starting in version 0.12.0 and prior to version 0.13.3, a memory exhaustion vulnerability exists in Stalwart's CalDAV implementation that allows authenticated attackers to cause denial-of-service by triggering unbounded memory consumption through recurring event expansion. An authenticated attacker can crash the Stalwart server by creating recurring events with large payloads and triggering their expansion through CalDAV REPORT requests. A single malicious request expanding 300 events with 1000-character descriptions can consume up to 2 GB of memory. The vulnerability exists in the `ArchivedCalendarEventData.expand` function, which processes CalDAV `REPORT` requests with event expansion. When a client requests recurring events in their expanded form using the `<C:expand>` element, the server stores all expanded event instances in memory without enforcing size limits. Users should upgrade to Stalwart version 0.13.3 or later to receive a fix. If immediate upgrading is not possible, implement memory limits at the container/system level; monitor server memory usage for unusual spikes; consider rate limiting CalDAV REPORT requests; and restr…

Severity
High
CVSS
7.1 (4.0)
Published
2025-09-10
CISA KEV
Not currently listed
Ecosystem
software/application
Weaknesses
CWE-770

Affected products

No browser-safe affected-product rows are available.

Matched remediation archetype

Resource exhaustion and denial of service

This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.

Check exposure

  • Identify attacker-influenced work factors including input size, nesting, compression, fan-out, regex cost, allocation, recursion, retries, and connection lifetime.
  • Map per-request and shared CPU, memory, disk, descriptor, thread, queue, and downstream-service limits.
  • Determine whether authentication, tenancy, quotas, and rate controls apply before expensive processing begins.

Remediate safely

  • Bound input size, nesting, expansion, work, concurrency, queue depth, retries, and execution time before resource-intensive processing.
  • Release resources on every success, error, cancellation, and timeout path and use backpressure instead of unbounded buffering.
  • Update affected components and add small deterministic tests that assert resource ceilings rather than exhausting a host.

Authoritative sources

Complete CVE record and remediation plan

The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.