Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Published: 2026-05-09
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::IMAP exposes several commands that accept a raw string argument. If an attacker controls the content of that string, the library forwards it to an IMAP server unescaped, allowing the injection of carriage return line feed sequences that create additional IMAP commands. The flaw enables an attacker to inject arbitrary IMAP commands, potentially compromising the server’s confidentiality, integrity, or availability by executing unintended actions. The weakness is a classic command injection (CWE-77) and a CRLF injection (CWE-93).

Affected Systems

The affected product is the Ruby library Net::IMAP, with all versions prior to 0.4.24, 0.5.14, and 0.6.4 vulnerable. Any Ruby application that depends on these earlier releases and passes user input into raw IMAP commands is at risk. Updating the library to v0.4.24 or newer fixes the issue.

Risk and Exploitability

The CVSS score of 5.8 indicates a moderate severity impact. The EPSS score is unavailable, so the current exploitation probability is unknown, but the vulnerability is not cataloged in the CISA KEV list. The likely attack vector is remote, as an attacker can supply user-controlled input through any interface that ultimately reaches the Net::IMAP client. Exploitation requires that the application construct raw IMAP commands from the attacker’s input and send them to an IMAP server without further validation.

Generated by OpenCVE AI on May 9, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Net::IMAP to version 0.4.24 or newer, which removes the raw argument handling flaw.
  • If an upgrade is not immediately possible, avoid using raw IMAP command arguments with untrusted input; instead, construct commands using the library’s typed interfaces or sanitize the input to eliminate CRLF sequences.
  • Implement application‑level checks to ensure that any data supplied to IMAP commands originates from trusted sources or has been properly escaped before being passed to the Net::IMAP client.

Generated by OpenCVE AI on May 9, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hm49-wcqc-g2xg net-imap vulnerable to command Injection via "raw" arguments to multiple commands
History

Sat, 09 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Title net-imap: Command Injection via "raw" arguments to multiple commands
Weaknesses CWE-77
CWE-93
References
Metrics cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T19:39:48.398Z

Reserved: 2026-04-26T11:53:27.704Z

Link: CVE-2026-42257

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T20:16:28.463

Modified: 2026-05-09T20:16:28.463

Link: CVE-2026-42257

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T21:30:42Z

Weaknesses