CVE-2025-43857Uncontrolled Resource Consumption in NET

CWE-400Uncontrolled Resource ConsumptionCWE-405Asymmetric Resource Consumption (Amplification)CWE-770Allocation of Resources Without Limits or ThrottlingCWE-789Memory Allocation with Excessive Size ValueCWE-476NULL Pointer Dereference8 documents6 sources
Severity
6.0MEDIUMNVD
EPSS
0.5%
top 32.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Ruby-lang NETRuby Net-imapDebian Ruby3.1+5 more
Timeline
PublishedApr 28

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5, there is a possibility for denial of service by memory exhaustion when net-imap reads server responses. At any time while the client is connected, a malicious server can send can send a "literal" byte count, which is automatically read by the client's receiver thread. The response reader immediately allocates memory for the number of bytes indicated by the

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages9 packages

RubyGemsruby/net-imap0.5.00.5.7+3
CVEListV5ruby/net-imap4 versions+3
NVDruby-lang/net0.3.00.3.9+3

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
net-imap rubygem vulnerable to possible DoS by memory exhaustion2025-04-28
GHSA
net-imap rubygem vulnerable to possible DoS by memory exhaustion2025-04-28
OSV
CVE-2025-43857: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby2025-04-28

📋Vendor Advisories

4
Red Hat
net-imap: net-imap rubygem vulnerable to possible DoS by memory exhaustion2025-04-28
Microsoft
net-imap rubygem vulnerable to possible DoS by memory exhaustion2025-04-08
Debian
CVE-2025-43857: ruby3.1 - Net::IMAP implements Internet Message Access Protocol (IMAP) client functionalit...2025
Microsoft
f2fs: fix null reference error when checking end of zone2024-08-13