How to crash an email server with a single email

A vulnerability has been discovered in five popular Node.js email parsers that allows for a denial of service (DoS) attack by sending an email with millions of empty attachments, which bypasses typical size limits and freezes the Node.js event loop due to excessive memory usage. This issue affects libraries such as mailparser and Haraka, both widely used in various projects, and can crash servers with out-of-memory errors. The vulnerability is easy to exploit but can be mitigated by implementing a simple check to limit the number of attachments. Despite the simplicity of the fix, it raises questions about oversight in software design, where performance and security considerations are often overlooked. This discovery was part of a broader effort to enhance email parsing efficiency and security, illustrating the importance of performance testing and the need for proactive vulnerability assessments. The vulnerability disclosure followed a timeline, with fixes and public announcements coordinated by security researchers and developers, although some parsers remain without a solution.