Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/171510?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/171510?format=api", "purl": "pkg:gem/net-imap@0.4.9", "type": "gem", "namespace": "", "name": "net-imap", "version": "0.4.9", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51305?format=api", "vulnerability_id": "VCID-2yaf-esyj-muab", "summary": "net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication\n### Summary\n\nWhen authenticating a connection with `SCRAM-SHA1` or `SCRAM-SHA256`, a\nhostile server can perform a computational denial-of-service attack on the\nclient process by sending a big iteration count value.\n\n### Details\n\nA hostile IMAP server can send an arbitrarily large PBKDF2 iteration count in\nthe SCRAM server-first-message, causing the client to perform an expensive\n`OpenSSL::KDF.pbkdf2_hmac` call. Because the PBKDF2 function is a blocking C\nextension and holds onto Ruby’s Global VM Lock, it can freeze the entire Ruby\nVM for the duration of the computation.\n\nOpenSSL enforces an effective maximum by using a 32-bit signed integer for the\niteration count, Depending on hardware capabilities and OpenSSL version, this\niteration count may be sufficient for to block all Ruby threads in the process\nfor over seven minutes.\n\nThis is listed as one of the \\\"Security Considerations\\\", in [RFC\n7804](https://www.rfc-editor.org/rfc/rfc7804.html#page-15):\n\n> A hostile server can perform a computational denial-of-service attack on\n> clients by sending a big iteration count value. In order to defend against\n> that, a client implementation can pick a maximum iteration count that it is\n> willing to use and reject any values that exceed that threshold (in such\n> cases, the client, of course, has to fail the authentication).\n\n### Impact\n\nDuring SCRAM authentication to a hostile server, the entire Ruby VM will be\nlocked for the duration of the computation. Depending on hardware\ncapabilities and OpenSSL version, this may take many minutes.\n\n`OpenSSL::KDF.pbkdf2_hmac` is a blocking C function, so `Timeout` cannot be\nused to guard against this. And it retains the Global VM lock, so other ruby\nthreads will also be unable to run.\n\n### Mitigation\n\n* Upgrade to a patched version of `net-imap` that adds the `max_iterations`\n option to the `SASL-*` authenticators, and call `Net::IMAP#authenticate`\n with a `max_iterations` keyword argument.\n\n **NOTE:** The default `max_iterations` is `2³¹ - 1`, the maximum signed 32\n bit integer, the maximum allowed by OpenSSL.\n\n _To prevent a denial of service attack,_ this must be set to a safe value,\n depending on hardware and version of OpenSSL. _It is the user's\n responsibility_ to enforce minimum and maximum iteration counts that are\n appropriate for their security context.\n\n* Alternatively, avoid `SCRAM-*` mechanisms when authenticating to untrusted\n servers.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42256.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42256.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42256", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14589", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14488", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14464", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14549", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14586", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42256" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42256", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42256" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/ruby/net-imap", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ruby/net-imap" }, { "reference_url": "https://github.com/ruby/net-imap/commit/158d0b505074397cdb5ceb58935e42dd2bcfa612", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:04:26Z/" } ], "url": "https://github.com/ruby/net-imap/commit/158d0b505074397cdb5ceb58935e42dd2bcfa612" }, { "reference_url": "https://github.com/ruby/net-imap/commit/808001bc45c06f7297a7e96d341279e041a7f7f4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:04:26Z/" } ], "url": "https://github.com/ruby/net-imap/commit/808001bc45c06f7297a7e96d341279e041a7f7f4" }, { "reference_url": "https://github.com/ruby/net-imap/commit/99f59eab6064955a23debd95410263ad144df758", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:04:26Z/" } ], "url": "https://github.com/ruby/net-imap/commit/99f59eab6064955a23debd95410263ad144df758" }, { "reference_url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:04:26Z/" } ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24" }, { "reference_url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:04:26Z/" } ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14" }, { "reference_url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:04:26Z/" } ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4" }, { "reference_url": "https://github.com/ruby/net-imap/security/advisories/GHSA-87pf-fpwv-p7m7", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:04:26Z/" } ], "url": "https://github.com/ruby/net-imap/security/advisories/GHSA-87pf-fpwv-p7m7" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42256.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42256.yml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42256", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42256" }, { "reference_url": "https://www.rfc-editor.org/rfc/rfc7804.html#page-15", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.rfc-editor.org/rfc/rfc7804.html#page-15" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136823", "reference_id": "1136823", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136823" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468500", "reference_id": "2468500", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468500" }, { "reference_url": "https://github.com/advisories/GHSA-87pf-fpwv-p7m7", "reference_id": "GHSA-87pf-fpwv-p7m7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-87pf-fpwv-p7m7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/117267?format=api", "purl": "pkg:gem/net-imap@0.4.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.4.24" }, { "url": "http://public2.vulnerablecode.io/api/packages/117266?format=api", "purl": "pkg:gem/net-imap@0.5.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.5.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/117265?format=api", "purl": "pkg:gem/net-imap@0.6.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.6.4" } ], "aliases": [ "CVE-2026-42256", "GHSA-87pf-fpwv-p7m7" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2yaf-esyj-muab" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51301?format=api", "vulnerability_id": "VCID-af3s-epm4-t3cu", "summary": "net-imap vulnerable to STARTTLS stripping via invalid response timing\n### Summary\n\nA man-in-the-middle attacker can cause `Net::IMAP#starttls` to return\n\"successfully\", without starting TLS.\n\n### Details\n\nWhen using `Net::IMAP#starttls` to upgrade a plaintext connection to use TLS,\na man-in-the-middle attacker can inject a tagged `OK` response with an easily\npredictable tag. By sending the response before the client finishes sending\nthe command, the command completes \"successfully\" before the response handler\nis registered. This allows `#starttls` to return without error, but the\nresponse handler is never invoked, the TLS connection is never established,\nand the socket remains unencrypted.\n\nThis allows man-in-the-middle attackers to perform a STARTTLS stripping\nattack, unless the client code explicitly checks `Net::IMAP#tls_verified?`.\n\n### Impact\n\nTLS bypass, leading to cleartext transmission of sensitive information.\n\n### Mitigation\n\n* Upgrade to a patched version of net-imap that raises an exception whenever\n `#starttls` does not establish TLS.\n* Connect to an implicit TLS port, rather than use `STARTTLS` with a cleartext\n port.\n This is strongly recommended anyway:\n * [RFC 8314](https://www.rfc-editor.org/info/rfc8314): Cleartext Considered\n Obsolete: Use of Transport Layer Security (TLS) for Email Submission and\n Access\n * [NO STARTTLS](https://nostarttls.secvuln.info/): Why TLS is better without\n STARTTLS, A Security Analysis of STARTTLS in the Email Context\n* Explicitly verify `Net::IMAP#tls_verified?` is `true`, before using the\n connection after `#starttls`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42246", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03745", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03733", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03722", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03753", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03756", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42246" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42246", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42246" }, { "reference_url": "https://github.com/ruby/net-imap", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ruby/net-imap" }, { "reference_url": "https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-12T02:29:05Z/" } ], "url": "https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618" }, { "reference_url": "https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-12T02:29:05Z/" } ], "url": "https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e" }, { "reference_url": "https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-12T02:29:05Z/" } ], "url": "https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c" }, { "reference_url": "https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-12T02:29:05Z/" } ], "url": "https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da" }, { "reference_url": "https://github.com/ruby/net-imap/releases/tag/v0.3.10", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-12T02:29:05Z/" } ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.3.10" }, { "reference_url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-12T02:29:05Z/" } ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24" }, { "reference_url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-12T02:29:05Z/" } ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14" }, { "reference_url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4" }, { "reference_url": "https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-12T02:29:05Z/" } ], "url": "https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42246.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42246.yml" }, { "reference_url": "https://nostarttls.secvuln.info", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nostarttls.secvuln.info" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42246", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42246" }, { "reference_url": "https://www.rfc-editor.org/info/rfc8314", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.rfc-editor.org/info/rfc8314" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136823", "reference_id": "1136823", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136823" }, { "reference_url": "https://github.com/advisories/GHSA-vcgp-9326-pqcp", "reference_id": "GHSA-vcgp-9326-pqcp", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vcgp-9326-pqcp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/117267?format=api", "purl": "pkg:gem/net-imap@0.4.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.4.24" }, { "url": "http://public2.vulnerablecode.io/api/packages/117266?format=api", "purl": "pkg:gem/net-imap@0.5.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.5.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/117265?format=api", "purl": "pkg:gem/net-imap@0.6.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.6.4" } ], "aliases": [ "CVE-2026-42246", "GHSA-vcgp-9326-pqcp" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-af3s-epm4-t3cu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51300?format=api", "vulnerability_id": "VCID-hpda-wmzp-sqgz", "summary": "net-imap has quadratic complexity when reading response literals\n### Summary\n\n`Net::IMAP::ResponseReader` has quadratic time complexity when reading large\nresponses containing many string literals. A hostile server can send\nresponses which are crafted to exhaust the client's CPU for a denial of\nservice attack.\n\n### Details\n\nFor each literal in a response, `ResponseReader` rescans the entire growing\nresponse buffer. The regular expression that is used to scan the response\nbuffer runs in linear time. With many literals, this becomes O(n²) total\nwork. The regular expression should run in constant time: it is anchored to\nthe end and only the last 23 bytes of the buffer are relevant.\n\nBecause the algorithmic complexity is super-linear, this bypasses protection\nfrom `max_response_size`: a response can stay well below the default size\nlimit while still causing very large CPU cost.\n\n`Net::IMAP::ResponseReader` runs continuously in the receiver thread until the\nconnection closes.\n\n### Impact\n\nThis consumes disproportionate CPU time in the client's receiver thread. A\nhostile server could use this to exhaust the client's CPU for a denial of\nservice attack.\n\nFor a response near the default `max_response_size`, each individual regexp\nscan could take between 100 to 200ms on common modern hardware, and this may\nbe repeated 200k times per megabyte of response. While the regexp is\nscanning, it retains the Global VM lock, preventing other threads from\nrunning.\n\nAlthough other threads should not be _completely_ blocked, their run time will\nbe significantly impacted.\n\n### Mitigation\n* Upgrade to a patched version of net-imap that reads responses more efficiently.\n* Do not connect to untrusted IMAP servers.\n* When connecting to untrusted servers, a _much_ smaller `max_response_size`\n (for example: 8KiB) will limit the impact. Although this is too small for\n fetching unpaginated message bodies, it should be enough for most other\n operations.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42245.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42245.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42245", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.24742", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.24861", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.2485", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.24791", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.24734", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42245" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42245", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42245" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/ruby/net-imap", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ruby/net-imap" }, { "reference_url": "https://github.com/ruby/net-imap/commit/6091f7d6b1f3514cafbfe39c76f2b5d73de3ca96", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T17:53:55Z/" } ], "url": "https://github.com/ruby/net-imap/commit/6091f7d6b1f3514cafbfe39c76f2b5d73de3ca96" }, { "reference_url": "https://github.com/ruby/net-imap/commit/88d95231fc8afef11c1f074453f7d75b68c9dfda", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T17:53:55Z/" } ], "url": "https://github.com/ruby/net-imap/commit/88d95231fc8afef11c1f074453f7d75b68c9dfda" }, { "reference_url": "https://github.com/ruby/net-imap/commit/de685f91a4a4cc75eb80da898c2bf8af08d34819", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T17:53:55Z/" } ], "url": "https://github.com/ruby/net-imap/commit/de685f91a4a4cc75eb80da898c2bf8af08d34819" }, { "reference_url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T17:53:55Z/" } ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24" }, { "reference_url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T17:53:55Z/" } ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14" }, { "reference_url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T17:53:55Z/" } ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4" }, { "reference_url": "https://github.com/ruby/net-imap/security/advisories/GHSA-q2mw-fvj9-vvcw", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T17:53:55Z/" } ], "url": "https://github.com/ruby/net-imap/security/advisories/GHSA-q2mw-fvj9-vvcw" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42245.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42245.yml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42245", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42245" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136823", "reference_id": "1136823", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136823" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468495", "reference_id": "2468495", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468495" }, { "reference_url": "https://github.com/advisories/GHSA-q2mw-fvj9-vvcw", "reference_id": "GHSA-q2mw-fvj9-vvcw", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q2mw-fvj9-vvcw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/117267?format=api", "purl": "pkg:gem/net-imap@0.4.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.4.24" }, { "url": "http://public2.vulnerablecode.io/api/packages/117266?format=api", "purl": "pkg:gem/net-imap@0.5.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.5.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/117265?format=api", "purl": "pkg:gem/net-imap@0.6.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.6.4" } ], "aliases": [ "CVE-2026-42245", "GHSA-q2mw-fvj9-vvcw" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "5.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hpda-wmzp-sqgz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51302?format=api", "vulnerability_id": "VCID-qyp6-9j12-xkak", "summary": "Possible DoS by memory exhaustion in net-imap\n### Summary\n\nThere is a possibility for denial of service by memory exhaustion in\n`net-imap`'s response parser. At any time while the client is\nconnected, a malicious server can send can send highly compressed\n`uid-set` data which is automatically read by the client's receiver\nthread. The response parser uses `Range#to_a` to convert the\n`uid-set` data into arrays of integers, with no limitation on the\nexpanded size of the ranges.\n\n### Details\n\nIMAP's `uid-set` and `sequence-set` formats can compress ranges of\nnumbers, for example: `\"1,2,3,4,5\"` and `\"1:5\"` both represent the\nsame set. When `Net::IMAP::ResponseParser` receives `APPENDUID` or\n`COPYUID` response codes, it expands each `uid-set` into an array of\nintegers. On a 64 bit system, these arrays will expand to 8 bytes\nfor each number in the set. A malicious IMAP server may send\nspecially crafted `APPENDUID` or `COPYUID` responses with very large\n`uid-set` ranges.\n\nThe `Net::IMAP` client parses each server response in a separate\nthread, as soon as each responses is received from the server.\nThis attack works even when the client does not handle the\n`APPENDUID` or `COPYUID` responses.\n\nMalicious inputs:\n\n```ruby\n# 40 bytes expands to ~1.6GB:\n\"* OK [COPYUID 1 1:99999999 1:99999999]\\r\\n\"\n\n# Worst *valid* input scenario (using uint32 max),\n# 44 bytes expands to 64GiB:\n\"* OK [COPYUID 1 1:4294967295 1:4294967295]\\r\\n\"\n\n# Numbers must be non-zero uint32, but this isn't validated. Arrays\n# larger than UINT32_MAX can be created. For example, the following\n# would theoretically expand to almost 800 exabytes:\n\"* OK [COPYUID 1 1:99999999999999999999 1:99999999999999999999]\\r\\n\"\n```\n\nSimple way to test this:\n```ruby\nrequire \"net/imap\"\n\ndef test(size)\n input = \"A004 OK [COPYUID 1 1:#{size} 1:#{size}] too large?\\n\"\n parser = Net::IMAP::ResponseParser.new\n parser.parse input\nend\n\ntest(99_999_999)\n```\n\n### Fixes\n\n#### Preferred Fix, minor API changes\n\nUpgrade to v0.4.19, v0.5.6, or higher, and configure:\n\n```ruby\n# globally\nNet::IMAP.config.parser_use_deprecated_uidplus_data = false\n# per-client\nimap = Net::IMAP.new(hostname, ssl: true,\n parser_use_deprecated_uidplus_data: false)\nimap.config.parser_use_deprecated_uidplus_data = false\n```\n\nThis replaces `UIDPlusData` with `AppendUIDData` and `CopyUIDData`.\nThese classes store their UIDs as `Net::IMAP::SequenceSet` objects\n(_not_ expanded into arrays of integers). Code that does not handle\n`APPENDUID` or `COPYUID` responses will not notice any difference.\nCode that does handle these responses _may_ need to be updated. See\nthe documentation for\n[UIDPlusData](https://ruby.github.io/net-imap/Net/IMAP/UIDPlusData.html),\n[AppendUIDData](https://ruby.github.io/net-imap/Net/IMAP/AppendUIDData.html)\nand [CopyUIDData](https://ruby.github.io/net-imap/Net/IMAP/CopyUIDData.html).\n\nFor v0.3.8, this option is not available.\nFor v0.4.19, the default value is `true`.\nFor v0.5.6, the default value is `:up_to_max_size`.\nFor v0.6.0, the only allowed value will be `false` _(`UIDPlusData`\nwill be removed from v0.6)_.\n\n#### Mitigation, backward compatible API\n\nUpgrade to v0.3.8, v0.4.19, v0.5.6, or higher.\n\nFor backward compatibility, `uid-set` can still be expanded\ninto an array, but a maximum limit will be applied.\n\nAssign `config.parser_max_deprecated_uidplus_data_size` to set the\nmaximum `UIDPlusData` UID set size. When\n`config.parser_use_deprecated_uidplus_data == true`, larger sets will crash.\nWhen `config.parser_use_deprecated_uidplus_data == :up_to_max_size`,\nlarger sets will use `AppendUIDData` or `CopyUIDData`.\n\nFor v0.3,8, this limit is _hard-coded_ to 10,000, and larger sets\nwill always raise `Net::IMAP::ResponseParseError`.\nFor v0.4.19, the limit defaults to 1000.\nFor v0.5.6, the limit defaults to 100.\nFor v0.6.0, the limit will be ignored _(`UIDPlusData` will be\nremoved from v0.6)_.\n\n#### Please Note: unhandled responses\n\nIf the client does not add response handlers to prune unhandled\nresponses, a malicious server can still eventually exhaust all\n\nclient memory, by repeatedly sending malicious responses. However,\n`net-imap` has always retained unhandled responses, and it has always\nbeen necessary for long-lived connections to prune these responses.\n_This is not significantly different from connecting to a trusted\nserver with a long-lived connection._ To limit the maximum number\nof retained responses, a simple handler might look something like\nthe following:\n\n```ruby\nlimit = 1000\nimap.add_response_handler do |resp|\n next unless resp.respond_to?(:name) && resp.respond_to?(:data)\n name = resp.name\n code = resp.data.code&.name if resp.data.respond_to?(:code)\n if Net::IMAP::VERSION > \"0.4.0\"\n imap.responses(name) { _1.slice!(0...-limit) }\n imap.responses(code) { _1.slice!(0...-limit) }\n else\n imap.responses(name).slice!(0...-limit)\n imap.responses(code).slice!(0...-limit)\n end\nend\n```", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-25186.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-25186.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-25186", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33688", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33744", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33757", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33714", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33723", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-25186" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/ruby/net-imap", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ruby/net-imap" }, { "reference_url": "https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-10T16:13:53Z/" } ], "url": "https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35" }, { "reference_url": "https://github.com/ruby/net-imap/commit/c8c5a643739d2669f0c9a6bb9770d0c045fd74a3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-10T16:13:53Z/" } ], "url": "https://github.com/ruby/net-imap/commit/c8c5a643739d2669f0c9a6bb9770d0c045fd74a3" }, { "reference_url": "https://github.com/ruby/net-imap/commit/cb92191b1ddce2d978d01b56a0883b6ecf0b1022", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-10T16:13:53Z/" } ], "url": "https://github.com/ruby/net-imap/commit/cb92191b1ddce2d978d01b56a0883b6ecf0b1022" }, { "reference_url": "https://github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-10T16:13:53Z/" } ], "url": "https://github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69" }, { "reference_url": "https://ruby.github.io/net-imap/Net/IMAP/AppendUIDData.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://ruby.github.io/net-imap/Net/IMAP/AppendUIDData.html" }, { "reference_url": "https://ruby.github.io/net-imap/Net/IMAP/CopyUIDData.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://ruby.github.io/net-imap/Net/IMAP/CopyUIDData.html" }, { "reference_url": "https://ruby.github.io/net-imap/Net/IMAP/UIDPlusData.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://ruby.github.io/net-imap/Net/IMAP/UIDPlusData.html" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103791", "reference_id": "1103791", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103791" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344680", "reference_id": "2344680", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344680" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25186", "reference_id": "CVE-2025-25186", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25186" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2025-25186.yml", "reference_id": "CVE-2025-25186.YML", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2025-25186.yml" }, { "reference_url": "https://github.com/advisories/GHSA-7fc5-f82f-cx69", "reference_id": "GHSA-7fc5-f82f-cx69", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7fc5-f82f-cx69" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:10217", "reference_id": "RHSA-2025:10217", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:10217" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3906", "reference_id": "RHSA-2025:3906", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3906" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:4493", "reference_id": "RHSA-2025:4493", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:4493" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8131", "reference_id": "RHSA-2025:8131", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8131" }, { "reference_url": "https://usn.ubuntu.com/7418-1/", "reference_id": "USN-7418-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7418-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/84077?format=api", "purl": "pkg:gem/net-imap@0.4.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" }, { "vulnerability": "VCID-zyky-57u4-x3f5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.4.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/84078?format=api", "purl": "pkg:gem/net-imap@0.5.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" }, { "vulnerability": "VCID-zyky-57u4-x3f5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.5.6" } ], "aliases": [ "CVE-2025-25186", "GHSA-7fc5-f82f-cx69" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qyp6-9j12-xkak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51299?format=api", "vulnerability_id": "VCID-vc49-gj5q-23a2", "summary": "net-imap vulnerable to command Injection via unvalidated Symbol inputs\n### Summary\n\nSymbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command\ninjection via Symbol arguments passed to IMAP commands.\n\n### Details\n\nSymbol arguments represent IMAP \"system flags\", which are formatted as \"atoms\"\n(with no quoting) with a `\"\\\"` prefix. Vulnerable versions of Net::IMAP sends\nthe symbol name directly to the socket, with no validation.\n\nBecause the Symbol input is unvalidated, it could contain invalid `flag`\ncharacters, including `SP` and `CRLF`, which could be used to finish the\ncurrent command and inject new commands.\n\nAlthough IMAP `flag` arguments are only valid input for a few IMAP commands,\nmost Net::IMAP commands use generic argument handling, and will allow Symbol\n(`flag`) inputs.\n\nNote also that the list of valid symbol inputs should be restricted to an\nenumerated set of standard RFC defined flag types, which have each been given\nspecific defined semantics. Any user-provided values outside of that list of\nstandard \"system flags\" needs to use the IMAP `keyword` syntax, which are sent\nas atoms, i.e: string inputs. Under no circumstances should `#to_sym` ever be\ncalled on unvetted user-provided input: that will always be a bug in the\ncalling code for the simple reason that `user_input_atom` is as\n`\\user_input_atom`.\n\nFor forward compatibility with future IMAP extentions, Net::IMAP, does not\nrestrict flag inputs to an enumerated list. That is the responsibility of the\ncalling application code, which knows which flag semantics are valid for its\ncontext.\n\n### Impact\n\nIf a developer passes user-controlled input as a Symbol to most Net::IMAP\ncommands, an attacker can append CRLF sequence followed by a new IMAP command\n(like `DELETE mailbox`).\n\n### Mitigation\n* Upgrade to a version of Net::IMAP that validates Symbols are valid as an\n IMAP `flag`.\n\n* User-provided input should never be able to control calling `#to_sym` on\n string arguments.\n\n For example, do not unsafely serialize and deserialize command arguments\n (e.g. with YAML or Marshal) in a way that could create unvetted Symbol\n arguments.\n\n* For the few IMAP commands which do allow `flag` arguments, it may be\n appropriate to hard-code Symbol arguments or restrict them to an enumerated\n list which is valid for the calling application.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42258", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00092", "scoring_system": "epss", "scoring_elements": "0.25878", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00092", "scoring_system": "epss", "scoring_elements": "0.25826", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00092", "scoring_system": "epss", "scoring_elements": "0.25821", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00092", "scoring_system": "epss", "scoring_elements": "0.25924", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00092", "scoring_system": "epss", "scoring_elements": "0.25932", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42258" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42258", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42258" }, { "reference_url": "https://github.com/ruby/net-imap", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ruby/net-imap" }, { "reference_url": "https://github.com/ruby/net-imap/commit/6bf02aef7e0b5931010c36e377f79a71636b306b", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ruby/net-imap/commit/6bf02aef7e0b5931010c36e377f79a71636b306b" }, { "reference_url": "https://github.com/ruby/net-imap/commit/9db3e9d60bfb8f3735ea95015bf8a700f4af9cbb", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ruby/net-imap/commit/9db3e9d60bfb8f3735ea95015bf8a700f4af9cbb" }, { "reference_url": "https://github.com/ruby/net-imap/commit/aec06996eb87a7e1bbcef1f9f8926e8add2b8c71", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ruby/net-imap/commit/aec06996eb87a7e1bbcef1f9f8926e8add2b8c71" }, { "reference_url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:57:16Z/" } ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24" }, { "reference_url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:57:16Z/" } ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14" }, { "reference_url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:57:16Z/" } ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4" }, { "reference_url": "https://github.com/ruby/net-imap/security/advisories/GHSA-75xq-5h9v-w6px", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:57:16Z/" } ], "url": "https://github.com/ruby/net-imap/security/advisories/GHSA-75xq-5h9v-w6px" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42258.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42258.yml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42258", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42258" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136823", "reference_id": "1136823", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136823" }, { "reference_url": "https://github.com/advisories/GHSA-75xq-5h9v-w6px", "reference_id": "GHSA-75xq-5h9v-w6px", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-75xq-5h9v-w6px" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/117267?format=api", "purl": "pkg:gem/net-imap@0.4.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.4.24" }, { "url": "http://public2.vulnerablecode.io/api/packages/117266?format=api", "purl": "pkg:gem/net-imap@0.5.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.5.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/117265?format=api", "purl": "pkg:gem/net-imap@0.6.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.6.4" } ], "aliases": [ "CVE-2026-42258", "GHSA-75xq-5h9v-w6px" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vc49-gj5q-23a2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51303?format=api", "vulnerability_id": "VCID-xc7r-d1an-y7gp", "summary": "net-imap vulnerable to command Injection via \"raw\" arguments to multiple commands\n### Summary\n\nSeveral `Net::IMAP` commands accept a raw string argument that is sent to the\nserver without validation or escaping. If this string is derived from\nuser-controlled input, it may contain contain `CRLF` sequences, which an\nattacker can use to inject arbitrary IMAP commands.\n\n### Details\n\n`Net::IMAP`'s generic argument handling, used by most command arguments,\ninterprets string arguments as an IMAP `astring`. Depending on the string\ncontents and the connection's UTF-8 support, this encodes strings as either a\n`atom`, `quoted`, or `literal`. These are safe from command or argument\ninjection.\n\nBut the following commands transform specific String arguments to\n`Net::IMAP::RawData`, which bypasses normal argument validation and encoding\nand prints the string directly to the socket:\n\n* `#uid_search`, `#search`\n * when `criteria` is a String, it is sent raw\n* `#uid_fetch`, `#fetch`\n * when `attr` is a String, it is sent raw\n * when `attr` is an Array, each String in `attr` is sent raw\n* `#uid_store`, `#store`\n * when `attr` is a String, it is sent raw\n* `#setquota`:\n * `limit` is interpolated with `#to_s` and that string is sent raw\n\nBecause these string arguments are sent without any neutralization, they serve\nas a direct vector for command splitting. Any user controlled data\ninterpolated into these strings can be used to break out of the intended\ncommand context.\n\nUsing \"raw data\" arguments for `#uid_store`, `#store`, and `#setquota` I both\ninappropriate and unnecessary. `Net::IMAP`'s generic argument handling is\nsufficient to safely validate and encode their arguments. Users of the\nlibrary probably do not expect arguments to these commands to be sent raw and\nmight not be wary of passing unvalidated input.\n\nThe API for search criteria and fetch attributes is intentionally low-level\nand \"close to the wire\". It allows developers to use some IMAP extensions\nwithout requiring explicit support from the library and allows developers to\nuse complex IMAP grammar without complex argument translation. Even so, basic\nvalidation is appropriate and could neutralize command injection.\n\nAlthough this was explicitly documented for search `criteria`, it was\ninsufficiently documented for fetch `attr`. So developers may not have\nrealized that the `attr` argument to `#fetch` and `#uid_fetch` is sent as \"raw\ndata\".\n\n### Impact\n\nIf a developer passes an unvalidated user-controlled input for one of these\nmethod arguments, an attacker can append CRLF sequence followed by a new IMAP\ncommand (like DELETE mailbox). Although this does not _directly_ enable data\nexfiltration, it could be combined with other attack vectors or knowledge of\nthe target system's attributes, e.g.: shared mail folders or the application's\ninstalled response handlers.\n\nThe SEARCH, STORE, and FETCH commands, and their UID variants are some of the\nmost commonly used features of the library. Applications that build search\nqueries or fetch attributes dynamically based on user input (e.g., mail\nclients or archival tools) may be at significant risk.\n\nExpected use of `Net::IMAP#setquota` is much more limited: `SETQUOTA` is often\nonly usable by users with special administrative privileges. Depending on the\nserver, quota administration might be managed through server configuration\nrather than via the IMAP protocol `SETQUOTA` command. It is expected to be\nuncommonly used in system administration scripts or in interactive sessions,\nit should be completely controlled by trusted users, and should only use\ntrusted inputs. Calling `#setquota` with untrusted user input is expected to\nbe a very uncommon use case. Please note however this might be combined with\nother attacks, for example CSRF, which provide unauthorized access to trusted\ninputs, and may specifically target users or scripts with administrator\nprivileges.\n\n### Mitigation\n\n- Update to a patched version of `net-imap` which:\n - validates that `Net::IMAP::RawData` is composed of well-formed IMAP\n `text`, `literal`, and `literal8` values, with no unescaped `NULL`, `CR`,\n or `LF` bytes.\n - does not use `Net::IMAP::RawData` for `#store`, `#uid_store`, or\n `#setquota`.\n- Prefer to send search criteria as an array of key value pairs. Avoid\n sending it as an interpolated string.\n- If an immediate upgrade is not possible:\n - String inputs to search criteria and fetch attributes can be validated\n against command injection by checking for `\\r` and `\\n` characters.\n - Hard-coding the store `attr` argument is often appropriate.\n Alternatively, user controlled inputs can be restricted to a small\n enumerated list which is valid for the calling application.\n - Use `Kernel#Integer` to coerce and validate user controlled inputs to\n `#setquota` limit.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42257.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-42257.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42257", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03754", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03773", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03776", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03765", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03744", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42257" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42257", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42257" }, { "reference_url": "https://github.com/ruby/net-imap", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ruby/net-imap" }, { "reference_url": "https://github.com/ruby/net-imap/commit/0ec4fd351263e8b9a4f683713427827b7b1ad974", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ruby/net-imap/commit/0ec4fd351263e8b9a4f683713427827b7b1ad974" }, { "reference_url": "https://github.com/ruby/net-imap/commit/47c72186d272441878ca73c9499f66013829ca2f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ruby/net-imap/commit/47c72186d272441878ca73c9499f66013829ca2f" }, { "reference_url": "https://github.com/ruby/net-imap/commit/6bf02aef7e0b5931010c36e377f79a71636b306b", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ruby/net-imap/commit/6bf02aef7e0b5931010c36e377f79a71636b306b" }, { "reference_url": "https://github.com/ruby/net-imap/commit/a4f7649c3da77dec7631f03a037a478eb4330048", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ruby/net-imap/commit/a4f7649c3da77dec7631f03a037a478eb4330048" }, { "reference_url": "https://github.com/ruby/net-imap/commit/aec06996eb87a7e1bbcef1f9f8926e8add2b8c71", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ruby/net-imap/commit/aec06996eb87a7e1bbcef1f9f8926e8add2b8c71" }, { "reference_url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T19:27:16Z/" } ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24" }, { "reference_url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T19:27:16Z/" } ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14" }, { "reference_url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T19:27:16Z/" } ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4" }, { "reference_url": "https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T19:27:16Z/" } ], "url": "https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42257", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42257" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136823", "reference_id": "1136823", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136823" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468494", "reference_id": "2468494", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468494" }, { "reference_url": "https://github.com/advisories/GHSA-hm49-wcqc-g2xg", "reference_id": "GHSA-hm49-wcqc-g2xg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hm49-wcqc-g2xg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/117267?format=api", "purl": "pkg:gem/net-imap@0.4.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.4.24" }, { "url": "http://public2.vulnerablecode.io/api/packages/117266?format=api", "purl": "pkg:gem/net-imap@0.5.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.5.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/117265?format=api", "purl": "pkg:gem/net-imap@0.6.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.6.4" } ], "aliases": [ "CVE-2026-42257", "GHSA-hm49-wcqc-g2xg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xc7r-d1an-y7gp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51307?format=api", "vulnerability_id": "VCID-zyky-57u4-x3f5", "summary": "net-imap rubygem vulnerable to possible DoS by memory exhaustion\n### Summary\n\nThere is a possibility for denial of service by memory exhaustion\nwhen `net-imap` reads server responses. At any time while the client\nis connected, a malicious server can send can send a \"literal\" byte\ncount, which is automatically read by the client's receiver thread.\nThe response reader immediately allocates memory for the number of\nbytes indicated by the server response.\n\nThis should not be an issue when securely connecting to trusted IMAP\nservers that are well-behaved. It can affect insecure connections\nand buggy, untrusted, or compromised servers (for example, connecting\nto a user supplied hostname).\n\n### Details\n\nThe IMAP protocol allows \"literal\" strings to be sent in responses,\nprefixed with their size in curly braces (e.g. `{1234567890}`).\nWhen `Net::IMAP` receives a response containing a literal string,\nit calls `IO#read` with that size. When called with a size,\n`IO#read` immediately allocates memory to buffer the entire string\nbefore processing continues. The server does not need to send any\nmore data. There is no limit on the size of literals that will be\naccepted.\n\n### Fix\n#### Upgrade\nUsers should upgrade to `net-imap` 0.5.7 or later. A configurable\n`max_response_size` limit has been added to `Net::IMAP`'s response\nreader. The `max_response_size` limit has also been backported to\n`net-imap` 0.2.5, 0.3.9, and 0.4.20.\n\nTo set a global value for `max_response_size`, users must upgrade\nto `net-imap` ~> 0.4.20, or > 0.5.7.\n\n#### Configuration\n\nTo avoid backward compatibility issues for secure connections to\ntrusted well-behaved servers, the default `max_response_size` for\n`net-imap` 0.5.7 is _very high_ (512MiB), and the default\n`max_response_size` for `net-imap` ~> 0.4.20, ~> 0.3.9, and 0.2.5\nis `nil` (unlimited).\n\nWhen connecting to untrusted servers or using insecure connections,\na much lower `max_response_size` should be used.\n```ruby\n# Set the global max_response_size (only ~> v0.4.20, > 0.5.7)\nNet::IMAP.config.max_response_size = 256 << 10 # 256 KiB\n\n# Set when creating the connection\nimap = Net::IMAP.new(hostname, ssl: true,\n max_response_size: 16 << 10) # 16 KiB\n\n# Set after creating the connection\nimap.max_response_size = 256 << 20 # 256 KiB\n# flush currently waiting read, to ensure the new setting is loaded\nimap.noop\n```\n\n_**Please Note:**_ `max_response_size` only limits the size _per\nresponse_. It does not prevent a flood of individual responses\nand it does not limit how many unhandled responses may be stored\non the responses hash. Users are responsible for adding response\nhandlers to prune excessive unhandled responses.\n\n#### Compatibility with lower `max_response_size`\n\nA lower `max_response_size` may cause a few commands which\nlegitimately return very large responses to raise an exception\nand close the connection. The `max_response_size` could be\ntemporarily set to a higher value, but paginated or limited\nversions of commands should be used whenever possible. For\nexample, to fetch message bodies:\n\n```ruby\nimap.max_response_size = 256 << 20 # 256 KiB\nimap.noop # flush currently waiting read\n\n# fetch a message in 252KiB chunks\nsize = imap.uid_fetch(uid, \"RFC822.SIZE\").first.rfc822_size\nlimit = 252 << 10\nmessage = ((0..size)limit).each_with_object(\"\") {|offset, str|\n str << imap.uid_fetch(uid,\n \"BODY.PEEK[]<#{offset}.#{limit}>\").first.message(offset:)\n}\n\nimap.max_response_size = 16 << 20 # 16 KiB\nimap.noop # flush currently waiting read\n```\n\n### References\n\n* PR to introduce max_response_size: https://github.com/ruby/net-imap/pull/442\n * Specific commit: [0ae8576c1 - lib/net/imap/response_reader.rb](https://github.com/ruby/net-imap/pull/444/commits/0ae8576c1a90bcd9573f81bdad4b4b824642d105#diff-53721cb4d9c3fb86b95cc8476ca2df90968ad8c481645220c607034399151462)\n* Backport to 0.4: https://github.com/ruby/net-imap/pull/445\n* Backport to 0.3: https://github.com/ruby/net-imap/pull/446\n* Backport to 0.2: https://github.com/ruby/net-imap/pull/447", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-43857.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-43857.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43857", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00393", "scoring_system": "epss", "scoring_elements": "0.60612", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00393", "scoring_system": "epss", "scoring_elements": "0.60598", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00393", "scoring_system": "epss", "scoring_elements": "0.60583", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00393", "scoring_system": "epss", "scoring_elements": "0.606", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00528", "scoring_system": "epss", "scoring_elements": "0.67521", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43857" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/ruby/net-imap", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ruby/net-imap" }, { "reference_url": "https://github.com/ruby/net-imap/pull/442", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T17:59:30Z/" } ], "url": "https://github.com/ruby/net-imap/pull/442" }, { "reference_url": "https://github.com/ruby/net-imap/pull/444", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ruby/net-imap/pull/444" }, { "reference_url": "https://github.com/ruby/net-imap/pull/444/commits/0ae8576c1a90bcd9573f81bdad4b4b824642d105#diff-53721cb4d9c3fb86b95cc8476ca2df90968ad8c481645220c607034399151462", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T17:59:30Z/" } ], "url": "https://github.com/ruby/net-imap/pull/444/commits/0ae8576c1a90bcd9573f81bdad4b4b824642d105#diff-53721cb4d9c3fb86b95cc8476ca2df90968ad8c481645220c607034399151462" }, { "reference_url": "https://github.com/ruby/net-imap/pull/445", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T17:59:30Z/" } ], "url": "https://github.com/ruby/net-imap/pull/445" }, { "reference_url": "https://github.com/ruby/net-imap/pull/446", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T17:59:30Z/" } ], "url": "https://github.com/ruby/net-imap/pull/446" }, { "reference_url": "https://github.com/ruby/net-imap/pull/447", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T17:59:30Z/" } ], "url": "https://github.com/ruby/net-imap/pull/447" }, { "reference_url": "https://github.com/ruby/net-imap/security/advisories/GHSA-j3g3-5qv5-52mj", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T17:59:30Z/" } ], "url": "https://github.com/ruby/net-imap/security/advisories/GHSA-j3g3-5qv5-52mj" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104486", "reference_id": "1104486", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104486" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362749", "reference_id": "2362749", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362749" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43857", "reference_id": "CVE-2025-43857", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43857" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2025-43857.yml", "reference_id": "CVE-2025-43857.YML", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2025-43857.yml" }, { "reference_url": "https://github.com/advisories/GHSA-j3g3-5qv5-52mj", "reference_id": "GHSA-j3g3-5qv5-52mj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j3g3-5qv5-52mj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/84947?format=api", "purl": "pkg:gem/net-imap@0.4.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" }, { "vulnerability": "VCID-zyky-57u4-x3f5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.4.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/84946?format=api", "purl": "pkg:gem/net-imap@0.5.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2yaf-esyj-muab" }, { "vulnerability": "VCID-af3s-epm4-t3cu" }, { "vulnerability": "VCID-hpda-wmzp-sqgz" }, { "vulnerability": "VCID-vc49-gj5q-23a2" }, { "vulnerability": "VCID-xc7r-d1an-y7gp" }, { "vulnerability": "VCID-zyky-57u4-x3f5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.5.7" } ], "aliases": [ "CVE-2025-43857", "GHSA-j3g3-5qv5-52mj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zyky-57u4-x3f5" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/net-imap@0.4.9" }