Cyber Resilience

CVE-2024-39929

MediumPublic PoC

Published: 04 July 2024

Published
04 July 2024
Modified
10 July 2025
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
EPSS Score 0.6031 98.3th percentile
Risk Priority 47 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39929 is a medium-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Exim Exim. Its CVSS base score is 5.4 (Medium).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Exim through version 4.97.1 contains a parsing flaw in its handling of multiline RFC 2231 header filenames. The software fails to correctly interpret encoded filename parameters that span multiple lines, which allows an attacker-supplied value to evade the $mime_filename extension check that administrators rely on to block executable attachments.

Remote, unauthenticated attackers can exploit the issue by sending a crafted message containing a specially formatted Content-Disposition header. Successful bypass results in executable files reaching user mailboxes, with the CVSS vector reflecting network attack vector, low complexity, and required user interaction for the final payload delivery.

Public commits in the Exim repository address the misparsing by correcting RFC 2231 handling, and the changes appear between release candidates 4.98-RC2 and 4.98-RC3. Operators should upgrade to a patched release that incorporates these fixes.

The EPSS score has reached a peak of 0.6391 with a current value of 0.6031, indicating sustained moderate exploitation interest following disclosure.

EU & UK References

Vulnerability details

Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

exim
exim
≤ 4.97.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-116

Validating that output matches expected content directly mitigates failures to properly encode or escape data for its destination context.

References