Key Information Vulnerability Overview Vulnerability Name: Memory Exhaustion via CalDAV Event Expansion CVE ID: CVE-2025-36045 Severity: High Affected Scope Affected Versions: < 0.13.3 Fixed Version: 0.13.3 Vulnerability Description Attack Vector: Network (CalDAV REPORT request) Authentication Required: Any valid user account Impact: Denial of Service (DoS) via memory exhaustion Severity: High Attack Mechanism 1. Attacker creates multiple recurring events with large description payloads. 2. Attacker sends a CalDAV REPORT request with a broad date range to trigger expansion. 3. Server expands all recurring instances and stores them in memory. 4. Memory consumption grows without bounds, potentially crashing the server. Example Exploitable Request Mitigation Measures Immediate Action: Upgrade to Stalwart version 0.13.3 or later. Temporary Workarounds: - Implement memory limits at container/system level. - Monitor server memory usage for abnormal spikes. - Consider rate-limiting CalDAV REPORT requests. - Restrict CalDAV access to trusted users only. Timeline Vulnerability Introduced: Version 0.12.0 (CalDAV support added) Vulnerability Reported: September 9, 2025 Fix Released: Version 0.13.3 Disclosure Published: September 10, 2025