Stalwart Mail Server Denial-of-Service Vulnerability via Malformed Nested MIME Messages

A denial-of-service vulnerability has been identified in Stalwart Mail Server versions 0.13.0 through 0.15.4. The issue arises when a specially crafted email containing malformed nested 'message/rfc822' MIME parts is accessed via IMAP or JMAP. This malformed structure leads to excessive CPU and memory consumption, potentially causing an out-of-memory condition and server crash. The 'mail-parser' crate used by Stalwart creates cyclical references in its parsed representation of the email, which the server follows indefinitely, exhausting system resources.

Impact

Exploitation of this vulnerability can cause a significant denial-of-service condition, leading to excessive CPU and memory usage that can crash the Stalwart Mail Server. This disruption affects all users of the server.

Reproduction

To reproduce this vulnerability, an attacker must craft an email with malformed nested 'message/rfc822' MIME parts that create cyclical references when parsed. This email is then delivered to a mailbox on a Stalwart server. When an authenticated user accesses the mailbox and requests the body's structure via IMAP or JMAP, the server follows the cyclical references, entering an infinite loop that consumes CPU and memory until the process is terminated or the system runs out of memory.

Remediation

Users are advised to upgrade to Stalwart Mail Server version 0.15.5 or later. For those upgrading from version 0.14.x or earlier, please consult the upgrading documentation for important information about breaking changes.