CVE-2025-59045

Name of the Vulnerable Software and Affected Versions: Stalwart versions 0.12.0 through 0.13.2

Description: Stalwart is a mail and collaboration server. A memory exhaustion vulnerability exists in Stalwart’s CalDAV implementation that allows authenticated attackers to cause a denial-of-service by triggering unbounded memory consumption through recurring event expansion. An authenticated attacker can crash the Stalwart server by creating recurring events with large payloads and triggering their expansion through CalDAV REPORT requests. A single malicious request expanding 300 events with 1000-character descriptions can consume up to 2 GB of memory. The vulnerability exists in the ArchivedCalendarEventData.expand function, which processes CalDAV REPORT requests with event expansion. When a client requests recurring events in their expanded form using the <C:expand> element, the server stores all expanded event instances in memory without enforcing size limits.

Recommendations: Upgrade to Stalwart version 0.13.3 or later. If immediate upgrading is not possible, implement memory limits at the container/system level. Monitor server memory usage for unusual spikes. Consider rate limiting CalDAV REPORT requests. Restrict CalDAV access to trusted users only.