CVE-2024-37358

High

Published: 06 February 2025

Published

06 February 2025

Modified

29 September 2025

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Score 0.0076 73.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37358 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Apache James Server. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 26.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match

prevent

Directly enforces denial-of-service protections to mitigate resource exhaustion from IMAP literal abuse by both authenticated and unauthenticated users.

SC-6 Resource Availability good match

prevent

Ensures resource availability by limiting allocation of memory and computational resources, preventing unbounded usage triggered by IMAP literals.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and remediation of flaws like this IMAP literal vulnerability through patching to versions 3.7.6 or 3.8.2.

NVD Description

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2…

restrict such illegitimate use of IMAP literals.

Deeper analysisAI

CVE-2024-37358 is a denial-of-service vulnerability in Apache James, similar to CVE-2024-34055, stemming from the abuse of IMAP literals. This flaw enables both authenticated and unauthenticated users to trigger unbounded memory allocation and excessively long computations, as classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability affects Apache James versions prior to the patched releases.

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, no user interaction, and resulting in a scope change that highly impacts availability, as indicated by its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). Successful exploitation leads to denial of service through resource exhaustion.

Apache advisories note that versions 3.7.6 and 3.8.2 mitigate the issue by restricting illegitimate use of IMAP literals. Further details are available in the Apache mailing list thread at https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc.

Details

CWE(s): CWE-770

Affected Products

apache

james server

≤ 3.7.6 · 3.8.0 — 3.8.2

CVEs Like This One

CVE-2024-45626Same product: Apache James Server

CVE-2026-29168Same vendor: Apache

CVE-2026-40010Same vendor: Apache

CVE-2024-43166Same vendor: Apache

CVE-2025-58130Same vendor: Apache

CVE-2026-33266Same vendor: Apache

CVE-2026-42027Same vendor: Apache

CVE-2025-24783Same vendor: Apache

CVE-2026-24343Same vendor: Apache

CVE-2026-42402Same vendor: Apache

References

https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc
Mailing List, Vendor Advisory · security@apache.org