Security Advisory: Memory Exhaustion via CalDAV Event Expansion
Summary
A memory exhaustion vulnerability exists in Stalwart's CalDAV implementation that allows authenticated attackers to cause denial-of-service by triggering unbounded memory consumption through recurring event expansion.
Impact
- Attack Vector: Network (CalDAV REPORT requests)
- Authentication: Required (any valid user account)
- Impact: Denial of Service (DoS) via memory exhaustion
- Severity: High
An authenticated attacker can crash the Stalwart server by creating recurring events with large payloads and triggering their expansion through CalDAV REPORT requests. A single malicious request expanding 300 events with 1000-character descriptions can consume up to 2 GB of memory.
Affected Versions
- Affected: 0.12.0 to 0.13.2 (inclusive)
- Fixed: 0.13.3 and later
CalDAV support was introduced in version 0.12.0, making all versions from 0.12.0 through 0.13.2 vulnerable.
Technical Details
The vulnerability exists in the ArchivedCalendarEventData.expand function, which processes CalDAV REPORT requests with event expansion. When a client requests recurring events in their expanded form using the <C:expand> element, the server stores all expanded event instances in memory without enforcing size limits.
Attack Mechanism
- Attacker creates multiple recurring events with large description payloads
- Attacker sends a CalDAV
REPORT request with a wide date range for expansion
- Server expands all recurring instances and stores them in memory
- Memory consumption grows unbounded, potentially crashing the server
Example Vulnerable Request
<?xml version="1.0" encoding="utf-8" ?>
<C:calendar-query xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav">
<D:prop>
<C:calendar-data>
<C:comp name="VCALENDAR">
<C:comp name="VEVENT"/>
</C:comp>
<C:expand start="20250103T000000Z" end="20501205T000000Z"/>
</C:calendar-data>
</D:prop>
<C:filter>
<C:comp-filter name="VCALENDAR">
<C:comp-filter name="VEVENT">
<C:time-range start="20250103T000000Z" end="20501205T000000Z"/>
</C:comp-filter>
</C:comp-filter>
</C:filter>
</C:calendar-query>Mitigation
Immediate Action Required: Upgrade to Stalwart version 0.13.3 or later.
Temporary Workarounds
If immediate upgrading is not possible:
- Implement memory limits at the container/system level
- Monitor server memory usage for unusual spikes
- Consider rate limiting CalDAV REPORT requests
- Restrict CalDAV access to trusted users only
Timeline
- Vulnerability Introduced: Version 0.12.0 (CalDAV support added)
- Vulnerability Reported: September 9th, 2025
- Fix Released: Version 0.13.3
- Advisory Published: September 10th, 2025
References
ThomasRinsma Analyst
b0-n0-b0 Analyst
Security Advisory: Memory Exhaustion via CalDAV Event Expansion
Summary
A memory exhaustion vulnerability exists in Stalwart's CalDAV implementation that allows authenticated attackers to cause denial-of-service by triggering unbounded memory consumption through recurring event expansion.
Impact
An authenticated attacker can crash the Stalwart server by creating recurring events with large payloads and triggering their expansion through CalDAV REPORT requests. A single malicious request expanding 300 events with 1000-character descriptions can consume up to 2 GB of memory.
Affected Versions
CalDAV support was introduced in version 0.12.0, making all versions from 0.12.0 through 0.13.2 vulnerable.
Technical Details
The vulnerability exists in the
ArchivedCalendarEventData.expandfunction, which processes CalDAVREPORTrequests with event expansion. When a client requests recurring events in their expanded form using the<C:expand>element, the server stores all expanded event instances in memory without enforcing size limits.Attack Mechanism
REPORTrequest with a wide date range for expansionExample Vulnerable Request
Mitigation
Immediate Action Required: Upgrade to Stalwart version 0.13.3 or later.
Temporary Workarounds
If immediate upgrading is not possible:
Timeline
References