CVE-2025-25186 — Uncontrolled Resource Consumption in Net-imap
CWE-400 — Uncontrolled Resource ConsumptionCWE-405 — Asymmetric Resource Consumption (Amplification)CWE-409 — Improper Handling of Highly Compressed Data (Data Amplification)CWE-770 — Allocation of Resources Without Limits or ThrottlingCWE-789 — Memory Allocation with Excessive Size ValueCWE-1287 — Improper Validation of Specified Type of Input10 documents8 sources
Severity
6.5MEDIUMNVD
OSV5.3
EPSS
0.1%
top 66.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 10
Latest updateApr 27
Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time while the client is connected, a malicious server can send can send highly compressed `uid-set` data which is automatically read by the client's receiver thread. The response parser uses `Range#to_a` to convert the `uid-set`…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6