QwikSec

Security Database

CVE

CWE

Training

CVE-2025-61600

Published: Oct 2, 2025

Modified: Oct 3, 2025

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Stalwart is a mail and collaboration server. Versions 0.13.3 and below contain an unbounded memory allocation vulnerability in the IMAP protocol parser which allows remote attackers to exhaust server memory, potentially triggering the system's out-of-memory (OOM) killer and causing a denial of service. The CommandParser implementation enforces size limits on its dynamic buffer in most parsing states, but several state handlers omit these validation checks. This issue is fixed in version 0.13.4. A workaround for this issue is to implement rate limiting and connection monitoring at the network level, however this does not provide complete protection.

Vendor	Product	Versions
stalwartlabs	stalwart	affected `< 0.13.4`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/stalwartlabs/stalwart/security/advisories/GHSA-8jqj-qj5p-v5rr

x_refsource_CONFIRM

https://github.com/stalwartlabs/stalwart/commit/a8e631e881bded8128358732f18e02ca94a4e677

x_refsource_MISC

https://github.com/stalwartlabs/stalwart/releases/tag/v0.13.4

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.