CVE-2025-59045 is a high-severity memory exhaustion vulnerability affecting the Stalwart mail and collaboration server, specifically versions from 0.12.0 up to but not including 0.13.3. The flaw resides in the CalDAV implementation, within the ArchivedCalendarEventData.expand function that handles CalDAV REPORT requests involving recurring event expansion. When a client requests recurring calendar events in their expanded form using the <C:expand> element, the server attempts to store all expanded event instances in memory without enforcing any limits on the number or size of these instances. An authenticated attacker can exploit this by creating recurring events with large payloads (e.g., descriptions of 1000 characters) and triggering their expansion through a single CalDAV REPORT request. This can cause unbounded memory consumption, with a single request expanding 300 events potentially consuming up to 2 GB of RAM, leading to denial-of-service (DoS) conditions by crashing the Stalwart server. The vulnerability does not require user interaction and can be triggered remotely by any authenticated user, making it relatively easy to exploit within an environment where Stalwart is deployed. The root cause is the lack of resource allocation limits or throttling during event expansion, classified under CWE-770. The vendor has addressed this issue in Stalwart version 0.13.3 and later. Until upgrading is possible, mitigations include enforcing memory limits at the container or system level, monitoring memory usage for anomalies, rate limiting CalDAV REPORT requests, and restricting CalDAV access to trusted users only.

For European organizations using Stalwart as their mail and collaboration server, this vulnerability poses a significant risk of service disruption. The ability for an authenticated attacker to cause a denial-of-service by exhausting server memory can lead to downtime, impacting business continuity and productivity. Organizations relying on Stalwart for critical communications and scheduling could face operational delays and potential loss of trust from users. Additionally, repeated exploitation attempts might increase operational costs due to incident response and recovery efforts. Since the vulnerability requires authentication but no user interaction, insider threats or compromised credentials could be leveraged to exploit this flaw. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed. European entities with strict uptime and data availability requirements, such as financial institutions, healthcare providers, and government agencies, could be particularly affected. Furthermore, denial-of-service attacks might be used as a diversion tactic for more sophisticated intrusions.

1. Immediate upgrade to Stalwart version 0.13.3 or later is the most effective mitigation, as it contains the fix for this vulnerability. 2. If upgrading is not immediately feasible, implement strict memory limits at the container or operating system level to prevent a single process from consuming excessive RAM. 3. Monitor server memory usage continuously and set up alerts for unusual spikes that could indicate exploitation attempts. 4. Apply rate limiting specifically to CalDAV REPORT requests to reduce the risk of rapid repeated exploitation. 5. Restrict CalDAV access to a minimal set of trusted and authenticated users, employing strong authentication mechanisms and regular credential audits. 6. Consider deploying Web Application Firewalls (WAFs) or API gateways capable of detecting and blocking anomalous CalDAV request patterns. 7. Conduct regular security training for administrators to recognize and respond to potential exploitation attempts. 8. Maintain up-to-date backups and incident response plans to minimize downtime in case of successful attacks.