cbcvebase.

Ruby-Lang Net vulnerabilities

6 known vulnerabilities affecting ruby-lang/net.

Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2026-42257P2CRITICALCVSS 9.8fixed in 0.4.24≥ 0.5.0, < 0.5.14+1 more2026-05-09
CVE-2026-42257 [CRITICAL] CWE-77 CVE-2026-42257: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which a
nvd
CVE-2026-42246P3HIGHCVSS 7.4fixed in 0.3.10≥ 0.4.0, < 0.4.24+2 more2026-05-09
CVE-2026-42246 [HIGH] CWE-392 CVE-2026-42246: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.
nvd
CVE-2026-42245P3HIGHCVSS 7.5fixed in 0.4.24≥ 0.5.0, < 0.5.14+1 more2026-05-09
CVE-2026-42245 [HIGH] CWE-407 CVE-2026-42245: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of se
nvd
CVE-2026-42256P4MEDIUMCVSS 6.5≥ 0.4.0, < 0.4.24≥ 0.5.0, < 0.5.14+1 more2026-05-09
CVE-2026-42256 [MEDIUM] CWE-770 CVE-2026-42256: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From vers Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a
nvd
CVE-2026-42258P4MEDIUMCVSS 5.3fixed in 0.4.24≥ 0.5.0, < 0.5.14+1 more2026-05-09
CVE-2026-42258 [MEDIUM] CWE-77 CVE-2026-42258: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
nvd
CVE-2025-43857P4MEDIUMCVSS 6.5fixed in 0.2.5≥ 0.3.0, < 0.3.9+2 more2025-04-28
CVE-2025-43857 [MEDIUM] CWE-400 CVE-2025-43857: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5, there is a possibility for denial of service by memory exhaustion when net-imap reads server responses. At any time while the client is connected, a malicious server can send can send a "literal" byte count, wh
nvd
Ruby-Lang Net vulnerabilities | cvebase