Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Published: 2026-05-09
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::IMAP contains an inefficient algorithm that processes server responses in quadratic time when large numbers of string literals are present. The result is that a malicious IMAP server can craft responses designed to exhaust the client’s CPU resources, causing a denial of service. The weakness is a classic example of inefficient string handling, catalogued as CWE‑407, and does not directly threaten data confidentiality or integrity.

Affected Systems

Ruby applications using the Net::IMAP library prior to versions 0.4.24, 0.5.14, or 0.6.4 are affected. These include any project that depends on the ruby:net-imap package with an older gem release, regardless of the surrounding application context.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, but the vulnerability can be exploited remotely by any IMAP server that the client connects to. Given the EPSS score of 0.00082, which denotes a very low probability of exploitation, and the fact that the vulnerability is not listed in the CISA KEV catalog, widespread exploitation is unlikely. The attack vector is inferred to be remote over the network, as a hostile server can send specially crafted responses to trigger the CPU exhaustion attack.

Generated by OpenCVE AI on May 16, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Net::IMAP gem to version 0.4.24, 0.5.14, or 0.6.4 or later.
  • Configure the application to connect only to trusted IMAP servers and enforce connection timeouts to limit the length of responses.
  • If an immediate upgrade is not feasible, add a wrapper around Net::IMAP that aborts processing when a response exceeds a configurable size or complexity threshold.

Generated by OpenCVE AI on May 16, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q2mw-fvj9-vvcw net-imap has quadratic complexity when reading response literals
History

Mon, 18 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Ruby-lang net\
CPEs cpe:2.3:a:ruby-lang:net\:\:imap:*:*:*:*:*:ruby:*:*
Vendors & Products Ruby-lang net\
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Sat, 16 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Ruby-lang
Ruby-lang net::imap
Vendors & Products Ruby-lang
Ruby-lang net::imap

Sat, 09 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Title net-imap: Quadratic complexity when reading response literals
Weaknesses CWE-407
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Ruby-lang Net::imap Net\
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T18:30:58.415Z

Reserved: 2026-04-25T05:37:12.118Z

Link: CVE-2026-42245

cve-icon Vulnrichment

Updated: 2026-05-12T17:54:00.543Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-09T20:16:28.017

Modified: 2026-05-18T18:12:26.317

Link: CVE-2026-42245

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-09T19:37:08Z

Links: CVE-2026-42245 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T02:00:12Z

Weaknesses