NVD - CVE-2025-53645 (original) (raw)

Description

Zimbra Collaboration (ZCS) before 9.0.0 Patch 46, 10.0.x before 10.0.15, and 10.1.x before 10.1.9 is vulnerable to a denial of service condition due to improper handling of excessive, comma-separated path segments in the Admin Console. An unauthenticated remote attacker can send specially crafted GET requests that trigger redundant processing and inflated responses. This leads to uncontrolled resource consumption, resulting in denial of service.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST CVSS score

NIST: NVD

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST CVSS score

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-400	Uncontrolled Resource Consumption	CISA-ADP

Change History

5 change records found show changes

CVE Modified by CISA-ADP 6/17/2026 5:38:37 AM

Action	Type	Old Value	New Value
Added	SSVC		{"timestamp":"2025-07-09T19:28:49.259174Z","id":"CVE-2025-53645","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}

CVE Modified by MITRE 6/17/2026 5:38:37 AM

Action	Type	Old Value	New Value
Added	Affected		[{"vendor":"n/a","product":"n/a","versions":[{"version":"n/a","status":"affected"}]}]

CVE Modified by MITRE 7/22/2025 12:15:33 PM

Action	Type	Old Value	New Value
Changed	Description	Zimbra Collaboration Suite (ZCS) before 9.0.0 Patch 46, 10.0.x before 10.0.15, and 10.1.x before 10.1.9 is vulnerable to a denial of service condition due to improper handling of excessive, comma-separated path segments in both the Webmail interface and the Admin Console. An unauthenticated remote attacker can send specially crafted GET requests that trigger redundant processing and inflated responses. This leads to uncontrolled resource consumption, resulting in denial of service.	Zimbra Collaboration (ZCS) before 9.0.0 Patch 46, 10.0.x before 10.0.15, and 10.1.x before 10.1.9 is vulnerable to a denial of service condition due to improper handling of excessive, comma-separated path segments in the Admin Console. An unauthenticated remote attacker can send specially crafted GET requests that trigger redundant processing and inflated responses. This leads to uncontrolled resource consumption, resulting in denial of service.

CVE Modified by CISA-ADP 7/09/2025 4:15:27 PM

Action	Type	Old Value	New Value
Added	CVSS V3.1		AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Added	CWE		CWE-400

New CVE Received from MITRE 7/09/2025 1:15:31 PM

Action	Type	New Value
Added	Description	Zimbra Collaboration Suite (ZCS) before 9.0.0 Patch 46, 10.0.x before 10.0.15, and 10.1.x before 10.1.9 is vulnerable to a denial of service condition due to improper handling of excessive, comma-separated path segments in both the Webmail interface and the Admin Console. An unauthenticated remote attacker can send specially crafted GET requests that trigger redundant processing and inflated responses. This leads to uncontrolled resource consumption, resulting in denial of service.
Added	Reference	https://wiki.zimbra.com/wiki/Security\_Center
Added	Reference	https://wiki.zimbra.com/wiki/Zimbra\_Releases/10.0.15#Security\_Fixes
Added	Reference	https://wiki.zimbra.com/wiki/Zimbra\_Releases/10.1.9#Security\_Fixes
Added	Reference	https://wiki.zimbra.com/wiki/Zimbra\_Releases/9.0.0/P46#Security\_Fixes
Added	Reference	https://wiki.zimbra.com/wiki/Zimbra\_Responsible\_Disclosure\_Policy
Added	Reference	https://wiki.zimbra.com/wiki/Zimbra\_Security\_Advisories