CVE-2024-45626

Medium

Published: 06 February 2025

Published

06 February 2025

Modified

11 February 2025

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0015 35.3th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45626 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Apache James Server. Its CVSS base score is 6.5 (Medium).

Operationally, ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by identifying, reporting, and correcting the specific flaw through software upgrades to Apache James versions 3.7.6 or 3.8.2.

SC-5 Denial-of-service Protection good match

prevent

Prevents or limits the effects of denial-of-service events like unbounded memory consumption triggered by crafted JMAP inputs.

SC-6 Resource Availability good match

prevent

Ensures resource availability by allocating memory limits per process or user, countering the unbounded consumption in the HTML to text conversion.

NVD Description

Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service. Users are recommended to upgrade to version 3.7.6 and 3.8.2, which…

fix this issue.

Deeper analysisAI

CVE-2024-45626 affects the JMAP HTML to text plain implementation in Apache James server versions below 3.8.2 and 3.7.6. The vulnerability involves unbounded memory consumption, which can lead to a denial of service. It is classified under CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

An attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network with low complexity and no user interaction required. By sending crafted input to the affected JMAP component, the attacker triggers excessive memory usage, resulting in high-impact availability disruption while causing no impact to confidentiality or integrity.

Apache advisories recommend upgrading to version 3.7.6 or 3.8.2, which address the issue. Additional details are available in the Apache mailing list announcement at https://lists.apache.org/thread/1fr9hvpsylomwwfr3rv82g84sxszn4kl and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2025/02/05/7.

Details

CWE(s): CWE-400 NVD-CWE-noinfo

Affected Products

apache

james server

≤ 3.7.6 · 3.8.0 — 3.8.2

CVEs Like This One

CVE-2024-37358Same product: Apache James Server

CVE-2026-42402Same vendor: Apache

CVE-2025-23184Same vendor: Apache

CVE-2026-39304Same vendor: Apache

CVE-2026-42403Same vendor: Apache

CVE-2026-40010Same vendor: Apache

CVE-2024-43166Same vendor: Apache

CVE-2025-58130Same vendor: Apache

CVE-2026-33266Same vendor: Apache

CVE-2026-42027Same vendor: Apache

References

https://lists.apache.org/thread/1fr9hvpsylomwwfr3rv82g84sxszn4kl
Mailing List · security@apache.org
http://www.openwall.com/lists/oss-security/2025/02/05/7
Mailing List · af854a3a-2127-422b-91ae-364da2661108