{"id":"CVE-2024-4140","details":"An excessive memory use issue (CWE-770) exists in Email-MIME, before version 1.954, which can cause denial of service when parsing multipart MIME messages. The patch set (from 2020 and 2024) limits excessive depth and the total number of parts.","modified":"2026-04-16T04:38:44.755556992Z","published":"2024-05-02T20:15:07.333Z","related":["openSUSE-SU-2024:13973-1"],"references":[{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2024-4140"},{"type":"REPORT","url":"https://github.com/rjbs/Email-MIME/issues/66"},{"type":"REPORT","url":"https://github.com/rjbs/Email-MIME/pull/80"},{"type":"FIX","url":"https://github.com/rjbs/Email-MIME/commit/b2cb62f19e12580dd235f79e2546d44a6bec54d1"},{"type":"FIX","url":"https://github.com/rjbs/Email-MIME/commit/fc0fededd24a71ccc51bcd8b1e486385d09aae63"},{"type":"FIX","url":"https://github.com/rjbs/Email-MIME/commit/02bf3e26812c8f38a86a33c168571f9783365df2"},{"type":"FIX","url":"https://github.com/rjbs/Email-MIME/commit/3a12edd119e493156a5a05e45dd50f4e36b702e8"},{"type":"FIX","url":"https://github.com/rjbs/Email-MIME/commit/3dcf096eeccb8e4dd42738de676c8f4a5aa7a531"},{"type":"FIX","url":"https://github.com/rjbs/Email-MIME/commit/7e96ecfa1da44914a407f82ae98ba817bba08f2d"},{"type":"ARTICLE","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFD5BWGYAVLW6IO4SUNLTJCFFLHZYQGT/"},{"type":"ARTICLE","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YHXHDLPZ6JV4KK3Q43O6TE3WOBAIUQRC/"},{"type":"ARTICLE","url":"https://bugs.debian.org/960062"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rjbs/email-mime","events":[{"introduced":"0"},{"fixed":"d339016779f55c8842e10d3f15d273df26c6a0ad"},{"fixed":"02bf3e26812c8f38a86a33c168571f9783365df2"},{"fixed":"3a12edd119e493156a5a05e45dd50f4e36b702e8"},{"fixed":"3dcf096eeccb8e4dd42738de676c8f4a5aa7a531"},{"fixed":"7e96ecfa1da44914a407f82ae98ba817bba08f2d"},{"fixed":"b2cb62f19e12580dd235f79e2546d44a6bec54d1"},{"fixed":"fc0fededd24a71ccc51bcd8b1e486385d09aae63"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.954"}]}}],"versions":["1.862","1.863","1.900","1.901","1.902","1.903","1.904","1.905","1.906","1.907","1.908","1.909","1.910","1.911","1.912_01","1.920","1.921","1.922","1.923","1.924","1.925","1.926","1.927","1.928","1.929","1.930","1.931","1.932","1.933","1.934","1.935","1.936","1.937","1.938","1.939","1.940","1.941","1.944","1.945","1.946","1.947","1.948","1.949","1.950","1.951","1.952","1.953"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"39"}]},{"events":[{"introduced":"0"},{"last_affected":"40"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-4140.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}