Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Published: 2026-05-09
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::IMAP contains an inefficient algorithm that processes server responses in quadratic time when large numbers of string literals are present. The result is that a malicious IMAP server can craft responses designed to exhaust the client’s CPU resources, causing a denial of service. The weakness is a classic example of inefficient string handling, catalogued as CWE‑407, and does not directly threaten data confidentiality or integrity.

Affected Systems

Ruby applications using the Net::IMAP library prior to versions 0.4.24, 0.5.14, or 0.6.4 are affected. These include any project that depends on the ruby:net-imap package with an older gem release, regardless of the surrounding application context.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, but the vulnerability can be exploited remotely by any IMAP server that the client connects to. Because the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the risk of widespread exploitation is unclear. However, the attack vector is inferred to be remote over the network, as a hostile server can send specially crafted responses to trigger the CPU exhaustion attack.

Generated by OpenCVE AI on May 9, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Net::IMAP gem to version 0.4.24, 0.5.14, or 0.6.4 or later.
  • Configure the application to connect only to trusted IMAP servers and enforce connection timeouts to limit the length of responses.
  • If an immediate upgrade is not feasible, add a wrapper around Net::IMAP that aborts processing when a response exceeds a configurable size or complexity threshold.

Generated by OpenCVE AI on May 9, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q2mw-fvj9-vvcw net-imap has quadratic complexity when reading response literals
History

Sat, 09 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Title net-imap: Quadratic complexity when reading response literals
Weaknesses CWE-407
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T19:37:08.905Z

Reserved: 2026-04-25T05:37:12.118Z

Link: CVE-2026-42245

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T20:16:28.017

Modified: 2026-05-09T20:16:28.017

Link: CVE-2026-42245

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T21:30:42Z

Weaknesses