cbcvebase.

Ruby Net-Imap vulnerabilities

10 known vulnerabilities affecting ruby/net-imap.

Total CVEs
10
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM6LOW1

Vulnerabilities

Page 1 of 1
CVE-2026-42257P2CRITICALCVSS 9.8fixed in 0.4.24v>= 0.5.0, < 0.5.14+1 more2026-05-09
CVE-2026-42257 [CRITICAL] CWE-77 CVE-2026-42257: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which a
ghsanvd
CVE-2026-42246P3HIGHCVSS 7.4fixed in 0.3.10v>= 0.4.0, < 0.4.24+2 more2026-05-09
CVE-2026-42246 [HIGH] CWE-392 CVE-2026-42246: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.
ghsanvd
CVE-2026-42245P3HIGHCVSS 7.5fixed in 0.4.24v>= 0.5.0, < 0.5.14+1 more2026-05-09
CVE-2026-42245 [HIGH] CWE-407 CVE-2026-42245: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of se
ghsanvd
CVE-2026-47240P3MEDIUMCVSS 5.8v>= 0.6.0, < 0.6.4.1fixed in 0.5.152026-06-22
CVE-2026-47240 [MEDIUM] CWE-77 CVE-2026-47240: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary
ghsanvd
CVE-2026-42256P4MEDIUMCVSS 6.5v>= 0.4.0, < 0.4.24v>= 0.5.0, < 0.5.14+1 more2026-05-09
CVE-2026-42256 [MEDIUM] CWE-770 CVE-2026-42256: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From vers Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a
ghsanvd
CVE-2026-42258P4MEDIUMCVSS 5.3fixed in 0.4.24v>= 0.5.0, < 0.5.14+1 more2026-05-09
CVE-2026-42258 [MEDIUM] CWE-77 CVE-2026-42258: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
ghsanvd
CVE-2025-25186P4MEDIUMCVSS 6.5v>= 0.3.2, < 0.3.8v>= 0.4.0, < 0.4.19+1 more2025-02-10
CVE-2025-25186 [MEDIUM] CWE-400 CVE-2025-25186: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time while the client is connected, a malicious server can send can send highly c
ghsanvdosv
CVE-2025-43857P4MEDIUMCVSS 6.5v>= 0.5.0, < 0.5.7v>= 0.4.0, < 0.4.20+2 more2025-04-28
CVE-2025-43857 [MEDIUM] CWE-400 CVE-2025-43857: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5, there is a possibility for denial of service by memory exhaustion when net-imap reads server responses. At any time while the client is connected, a malicious server can send can send a "literal" byte count, wh
ghsanvdosv
CVE-2026-47242P4MEDIUMCVSS 5.8v>= 0.6.0, < 0.6.4.1fixed in 0.5.152026-06-22
CVE-2026-47242 [MEDIUM] CWE-77 CVE-2026-47242: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, when Net::IMAP#id is called with a hash argument, although the ID field value strings are correctly quoted (escaping quoted specials), they were not validated to prohibit CRLF sequences. While Net::IMAP#enable does process its argument
ghsanvd
CVE-2026-47241P4LOWCVSS 2.1v>= 0.6.0, < 0.6.4.1fixed in 0.5.152026-06-22
CVE-2026-47241 [LOW] CWE-162 CVE-2026-47241: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed
ghsanvd
Ruby Net-Imap vulnerabilities | cvebase