CVE-2024-39929
published 2024-07-04CVE-2024-39929: Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection…
PriorityP342medium5.4CVSS 3.1
AVNACLPRNUIRSUCLILAN
EPSS
41.23%
98.5th percentile
Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | exim4 | < exim4 4.96-15+deb12u5 (bookworm) | exim4 4.96-15+deb12u5 (bookworm) |
| exim | exim | <= 4.97.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exim misparses multiline RFC 2231 header filenames, allowing bypass of the $mime_filename extension-blocking protection mechanism. Detect crafted emails with multiline MIME header filenames (RFC 2231 encoded) that split a blocked extension across continuation lines. ↗
- →Monitor for executable attachments delivered to end-user mailboxes via Exim versions up to and including 4.97.1, particularly where $mime_filename extension blocking is configured but may be bypassed by multiline MIME header filename encoding. ↗
- ·The bypass only affects deployments where $mime_filename extension-blocking is configured in Exim ACLs. Installations not using this protection mechanism are not affected by the bypass logic, though they may still receive malicious attachments. ↗
- ·This flaw requires end-user interaction to execute the delivered attachment; the vulnerability itself does not result in automatic code execution on the mail server. ↗
- ·Fixed in Exim 4.98 (changelog reference 3099). Debian bookworm fix is in 4.96-15+deb12u5; bullseye fix is in 4.94.2-7+deb11u3. All Exim versions through 4.97.1 are vulnerable. ↗
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
osv5.4MEDIUM
vendor_debian5.4MEDIUM
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Exim vulnerability
vendor_ubuntu·2024-07-31
CVE-2024-39929 Exim vulnerability
Title: Exim vulnerability
Summary: Exim could be made to bypass a MIME filename extension-blocking
protection mechanism if it received specially crafted input.
Phillip Szelat discovered that Exim misparses multiline MIME header
filenames. A remote attacker could use this issue to bypass a MIME filename
extension-blocking protection mechanism and possibly deliver executable
attachments to the mailboxes of end users.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
exim: exim: Incorrect parsing of multiline rfc2231 header filename
vendor_redhat·2024-07-04·CVSS 5.4
CVE-2024-39929 [MEDIUM] CWE-693 exim: exim: Incorrect parsing of multiline rfc2231 header filename
exim: exim: Incorrect parsing of multiline rfc2231 header filename
Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users.
A vulnerability was found in the Exim package. Exim is vulnerable to bypassing the $mime_filename extension-blocking protection mechanism. This flaw could potentially result in delivering malicious executable attachments to end users, which would require their interaction to run.
Statement: Exim is not shipped in any Red Hat Offerings.
Debian
CVE-2024-39929: exim4 - Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus rem...
vendor_debian·2024·CVSS 5.4
CVE-2024-39929 [MEDIUM] CVE-2024-39929: exim4 - Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus rem...
Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users.
Scope: local
bookworm: resolved (fixed in 4.96-15+deb12u5)
bullseye: resolved (fixed in 4.94.2-7+deb11u3)
forky: resolved (fixed in 4.98~RC3-2)
sid: resolved (fixed in 4.98~RC3-2)
trixie: resolved (fixed in 4.98~RC3-2)
OSV
CVE-2024-39929: Exim through 4
osv·2024-07-04·CVSS 5.4
CVE-2024-39929 [MEDIUM] CVE-2024-39929: Exim through 4
Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users.
GHSA
GHSA-7m4v-cwm7-4f2m: Exim through 4
ghsa_unreviewed·2024-07-04
CVE-2024-39929 [MEDIUM] CWE-116 GHSA-7m4v-cwm7-4f2m: Exim through 4
Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-67896 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-67896 [MEDIUM] CVE-2025-67896 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67896 :
Exim vulnerability analysis and mitigation
Exim before 4.99.1, with certain non-default rate-limit configurations, allows a remote heap-based buffer overflow because database records are cast directly to internal structures without validation.
Source : NVD
## 9.8
Score
Published December 14, 2025
Severity CRITICAL
CNA Score 7.0
Affected Technologies
Exim
Linux Fedora
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
exim-pgsql-debuginfo
cpe:2.3:a:exim:exim
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity CRITICAL No Fix Added at: Dec 24, 2025
Bugzilla
CVE-2024-39929 exim: exim: Incorrect parsing of multiline rfc2231 header filename
bugzilla·2024-07-04·CVSS 5.4
CVE-2024-39929 [MEDIUM] CVE-2024-39929 exim: exim: Incorrect parsing of multiline rfc2231 header filename
CVE-2024-39929 exim: exim: Incorrect parsing of multiline rfc2231 header filename
Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users.
Discussion:
This was fixed in Exim 4.98 per changelog https://code.exim.org/exim/exim/src/branch/master/doc/doc-txt/ChangeLog (reference 3099) and as such should be fixed in all current Fedora versions.
https://bugs.exim.org/show_bug.cgi?id=3099#c4https://git.exim.org/exim.git/commit/1b3209b0577a9327ebb076f3b32b8a159c253f7bhttps://git.exim.org/exim.git/commit/6ce5c70cff8989418e05d01fd2a57703007a6357https://github.com/Exim/exim/compare/exim-4.98-RC2...exim-4.98-RC3https://www.rfc-editor.org/rfc/rfc2231.txthttps://bugs.exim.org/show_bug.cgi?id=3099#c4https://git.exim.org/exim.git/commit/1b3209b0577a9327ebb076f3b32b8a159c253f7bhttps://git.exim.org/exim.git/commit/6ce5c70cff8989418e05d01fd2a57703007a6357https://github.com/Exim/exim/compare/exim-4.98-RC2...exim-4.98-RC3https://www.rfc-editor.org/rfc/rfc2231.txt
2024-07-04
Published