Apache James IMAP vulnerable to a ReDoS
Description
In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An IMAP user can cause a denial of service in Apache James prior to 3.6.1 by sending crafted LIST commands that exploit a vulnerable regular expression.
Vulnerability
In Apache James, the IMAP protocol handler uses a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). An authenticated IMAP user can send specially crafted LIST commands that cause the regex engine to backtrack excessively, leading to CPU exhaustion. This affects versions prior to 3.6.1. [1][2]
Exploitation
The attacker must have valid IMAP credentials to authenticate to the server. They then send a series of carefully crafted IMAP LIST commands that trigger the vulnerable regex pattern. No special privileges are needed, only the ability to execute IMAP commands. [1][2]
Impact
Successful exploitation results in a denial of service, consuming excessive CPU resources and potentially making the server unresponsive to legitimate requests. The service may need to be restarted to recover. No data confidentiality or integrity is compromised. [1][2]
Mitigation
Upgrade to Apache James 3.6.1 or later, which replaces the vulnerable regex engine with RE2J, ensuring linear-time execution without backtracking. The fix was released in January 2022. [1][2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.james:james-serverMaven | >= 3.1.0, < 3.6.1 | 3.6.1 |
Affected products
10- osv-coords9 versionspkg:apk/chainguard/keycloakpkg:apk/chainguard/keycloak-bitnami-compatpkg:apk/chainguard/keycloak-compatpkg:apk/chainguard/keycloak-iamguarded-compatpkg:apk/wolfi/keycloakpkg:apk/wolfi/keycloak-bitnami-compatpkg:apk/wolfi/keycloak-compatpkg:apk/wolfi/keycloak-iamguarded-compatpkg:maven/org.apache.james/james-server
< 0+ 8 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 3.1.0, < 3.6.1
- Apache Software Foundation/Apache Jamesv5Range: Apache James
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-r58x-wjg8-63m9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-40110ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/01/04/2ghsamailing-listx_refsource_MLISTWEB
- www.openwall.com/lists/oss-security/2022/01/04/2ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.