Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Published: 2026-05-09
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::IMAP, a Ruby library for IMAP client functionality, allowed callers to pass symbol arguments directly to IMAP commands before certain releases. Those symbols were concatenated into the command string without proper escaping, enabling an attacker to inject carriage‑return line‑feed (CRLF) sequences and additional IMAP commands. This flaw can lead to arbitrary IMAP command execution on the server side, potentially leaking data, altering mailbox contents, or performing privileged operations. The weakness is classified as command injection (CWE‑77) and involves improper neutralization of special elements in a command context (CWE‑93).

Affected Systems

Versions of the ruby:net-imap package older than 0.4.24, 0.5.14, and 0.6.4 are affected. The library is distributed as a Ruby gem and used by applications that rely on IMAP client capabilities.

Risk and Exploitability

The CVSS score is 5.8, indicating moderate severity. Exploitation requires an attacker who can influence the data sent to the IMAP client, such as through an application that forwards user input to IMAP commands. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. If an attacker can supply untrusted symbol arguments, they could inject additional IMAP commands, potentially compromising data confidentiality or integrity on the server.

Generated by OpenCVE AI on May 9, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ruby:net-imap to at least version 0.4.24, 0.5.14, or 0.6.4, which contain the patch for command injection.
  • Review application code to ensure that no user-supplied values are passed as symbols to IMAP methods. Replace Symbol arguments with validated strings or whitelist safe command arguments.
  • Implement network-level controls to restrict communication to trusted IMAP servers and monitor for anomalous command patterns that may indicate injection attempts.

Generated by OpenCVE AI on May 9, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-75xq-5h9v-w6px net-imap vulnerable to command Injection via unvalidated Symbol inputs
History

Sat, 09 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Title net-imap: Command Injection via unvalidated Symbol inputs
Weaknesses CWE-77
CWE-93
References
Metrics cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T19:40:49.405Z

Reserved: 2026-04-26T11:53:27.704Z

Link: CVE-2026-42258

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T20:16:28.623

Modified: 2026-05-09T20:16:28.623

Link: CVE-2026-42258

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T21:30:42Z

Weaknesses