Miggo Logo
Miggo Vulnerability Database
CVE-2024-45626

CVE-2024-45626: Apache James vulnerable to denial of service through JMAP HTML to text conversion

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-45626
GHSA ID
GHSA-57m2-h3fw-rxhw
EPSS Score
0.57248%
CWE
CWE-400
Published
2/6/2025
Updated
2/11/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.james:james-server-jmap-draftmaven>= 3.8.0, < 3.8.23.8.2
org.apache.james:james-server-jmap-draftmaven< 3.7.63.7.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from HTML-to-text conversion logic. The commit diff shows a critical change in the flatten() method - replacing recursion with a Deque-based iterative approach. The original recursive implementation (flatten(Node base, int listNestedLevel)) would create unbounded stack growth for deeply nested HTML, leading to denial of service. The added test case 'deeplyNestedHtmlShouldNotThrowStackOverflow' confirms this was the vulnerable path. The CWE-400 classification (uncontrolled resource consumption) aligns with the recursion-induced memory exhaustion scenario fixed by this change.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** J*m*s s*rv*r JM*P *TML to t*xt pl*in impl*m*nt*tion in v*rsions **low *.*.* *n* *.*.* is su*j**t to un*oun*** m*mory *onsumption t**t **n r*sult in * **ni*l o* s*rvi**. Us*rs *r* r**omm*n*** to up*r*** to v*rsion *.*.* *n* *.*.*, w*i** *ix t*

Reasoning

T** vuln*r**ility st*ms *rom *TML-to-t*xt *onv*rsion lo*i*. T** *ommit *i** s*ows * *riti**l ***n** in t** `*l*tt*n()` m*t*o* - r*pl**in* r**ursion wit* * **qu*-**s** it*r*tiv* *ppro***. T** ori*in*l r**ursiv* impl*m*nt*tion (`*l*tt*n(No** **s*, int