zbateson/mail-mime-parser is vulnerable to Uncontrolled Resource Consumption
75
High Risk
The MIME parser has three super-linear parsing paths: deep multipart nesting is O(depth^2) in MimeParserService::findContentBoundary(), appending many sibling parts is O(n^2) in PartChildrenContainer::add(), and header buffering in HeaderParserService::parse() caps neither header count nor total header size. A crafted message of only a few megabytes can therefore consume seconds of CPU or hundreds of megabytes to gigabytes of memory when parsed, leading to an out-of-memory kill and denial of service. Because the cost is super-linear, a caller-side byte-size cap does not bound the work performed. The fix adds configurable limits on multipart nesting depth and header count/total size and changes sibling append to linear cost.
You are affected if you are using a version that falls within the vulnerable range.
zbateson/mail-mime-parser is vulnerable to Uncontrolled Resource Consumption in versions 2.0.0 - 3.0.5 and 4.0.0 - 4.0.1.
Upgrade the zbateson/mail-mime-parser library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant