CVE-2024-23184 MEDIUM

CVE-2024-23184

Vendor Open-Xchange Gmbh
Product OX Dovecot Pro
Weakness CWE-770 · Uncontrolled resource consumption
Published September 10, 2024
Last update November 4, 2025

CVSS base score

5.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known.

Key dates

02Disclosure timeline

September 10, 2024 CVE published
November 4, 2025 Record updated