Stalwart Mail and Collaboration Server Memory Exhaustion Vulnerability in CalDAV Implementation

A memory exhaustion vulnerability has been identified in Stalwart's CalDAV implementation, affecting versions 0.12.0 prior to 0.13.3. This vulnerability allows authenticated attackers to cause a denial-of-service by triggering unbounded memory consumption through the expansion of recurring events. The issue arises in the 'ArchivedCalendarEventData.expand' function, which processes CalDAV 'REPORT' requests with event expansion. When a client requests recurring events in their expanded form using the '<C:expand>' element, the server stores all expanded event instances in memory without enforcing size limits. An authenticated attacker can exploit this by creating recurring events with large payloads and triggering their expansion through CalDAV 'REPORT' requests. For example, a single malicious request expanding 300 events with 1000-character descriptions can consume up to 2 GB of memory.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the Stalwart server to crash due to excessive memory consumption.

Reproduction

To reproduce this vulnerability, an authenticated user can create recurring events with large descriptions and then send a CalDAV 'REPORT' request that triggers the expansion of these events. The server will process the request by expanding all instances of the recurring events, which can result in a significant increase in memory usage, potentially causing the server to crash.

Remediation

Users are advised to upgrade to Stalwart version 0.13.3 or later. If an immediate upgrade is not possible, consider implementing memory limits at the container or system level, monitoring server memory usage for unusual spikes, rate limiting CalDAV 'REPORT' requests, and restricting CalDAV access to trusted users only.