Medium severity5.0NVD Advisory· Published Sep 10, 2024· Updated Apr 15, 2026

CVE-2024-23184

Description

Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

seclists.org/fulldisclosure/2024/Aug/17nvd
www.openwall.com/lists/oss-security/2024/08/15/3nvd
documentation.open-xchange.com/dovecot/security/advisories/csaf/2024/oxdc-adv-2024-0002.jsonnvd
lists.debian.org/debian-lts-announce/2024/09/msg00002.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.325
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000