CVE-2020-25275

Vulnerability

Dovecot lda, lmtp, and imap components suffer from improper input validation (CWE-20) when processing email messages with a large number of MIME parts. Specifically, the crash occurs when the 10,000th MIME part is of type message/rfc822 or if its parent is multipart/digest. This issue was introduced by earlier MIME parsing changes for CVE-2020-12100. Versions 2.3.11 through 2.3.11.3 are affected [1][2].

Exploitation

An attacker can send or upload a crafted email message containing more than 10,000 MIME parts to any Dovecot server running the vulnerable version. The attacker requires no authentication or user interaction, as the crash occurs during message delivery or parsing by lda, lmtp, or imap [1][2].

Impact

Successful exploitation causes a crash (denial of service) of the Dovecot process handling the message. The CVSS score is 5.3 (medium) with impact only on availability (C:N/I:N/A:L). Repeated crashes can disrupt email services [1].

Mitigation

The vulnerability is fixed in Dovecot version 2.3.13, released on 2020-09-14. Users should upgrade to 2.3.13 or later. A workaround is to filter such messages at the MTA (Mail Transfer Agent), which typically drops emails with excessively many MIME parts [1][2]. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.