Intel

AIKIDO-2026-323852

zbateson/mail-mime-parser is vulnerable to Uncontrolled Resource Consumption

Uncontrolled Resource ConsumptionGHSA-f6v3-2qmr-vfjx Published 3 days ago

75

High Risk

This Affects:

PHPzbateson/mail-mime-parser
2.0.0 - 3.0.5
Fixed in 3.0.6
4.0.0 - 4.0.1
Fixed in 4.0.2
Are you affected? Scan for Free

TL;DR

The MIME parser has three super-linear parsing paths: deep multipart nesting is O(depth^2) in MimeParserService::findContentBoundary(), appending many sibling parts is O(n^2) in PartChildrenContainer::add(), and header buffering in HeaderParserService::parse() caps neither header count nor total header size. A crafted message of only a few megabytes can therefore consume seconds of CPU or hundreds of megabytes to gigabytes of memory when parsed, leading to an out-of-memory kill and denial of service. Because the cost is super-linear, a caller-side byte-size cap does not bound the work performed. The fix adds configurable limits on multipart nesting depth and header count/total size and changes sibling append to linear cost.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

zbateson/mail-mime-parser is vulnerable to Uncontrolled Resource Consumption in versions 2.0.0 - 3.0.5 and 4.0.0 - 4.0.1.

How to fix this

Upgrade the zbateson/mail-mime-parser library to the patch version.