Cyber Resilience

CVE-2024-37358

HighDDoS

Published: 06 February 2025

Published
06 February 2025
Modified
29 September 2025
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0076 73.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37358 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Apache James Server. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2024-37358 is a denial-of-service vulnerability in Apache James, similar to CVE-2024-34055, stemming from the abuse of IMAP literals. This flaw enables both authenticated and unauthenticated users to trigger unbounded memory allocation and excessively long computations, as classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability affects Apache James versions prior to the patched releases.

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, no user interaction, and resulting in a scope change that highly impacts availability, as indicated by its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). Successful exploitation leads to denial of service through resource exhaustion.

Apache advisories note that versions 3.7.6 and 3.8.2 mitigate the issue by restricting illegitimate use of IMAP literals. Further details are available in the Apache mailing list thread at https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc.

EU & UK References

Vulnerability details

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2…

more

restrict such illegitimate use of IMAP literals.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.002 Service Exhaustion Flood Impact
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS).
T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

Direct remote unauthenticated exploitation of public-facing IMAP service for resource exhaustion DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-45626Same product: Apache James Server
CVE-2026-29168Same vendor: Apache
CVE-2026-41284Same vendor: Apache
CVE-2025-8099Shared CWE-770
CVE-2026-49361Same vendor: Apache
CVE-2026-27446Same vendor: Apache
CVE-2024-32838Same vendor: Apache
CVE-2026-34486Same vendor: Apache
CVE-2026-31910Same vendor: Apache
CVE-2026-41084Same vendor: Apache

Affected Assets

apache
james server
≤ 3.7.6 · 3.8.0 — 3.8.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces denial-of-service protections to mitigate resource exhaustion from IMAP literal abuse by both authenticated and unauthenticated users.

prevent

Ensures resource availability by limiting allocation of memory and computational resources, preventing unbounded usage triggered by IMAP literals.

prevent

Requires timely identification, reporting, and remediation of flaws like this IMAP literal vulnerability through patching to versions 3.7.6 or 3.8.2.

References