Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Published: 2026-05-09
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::IMAP, a Ruby library for IMAP client functionality, allowed callers to pass symbol arguments directly to IMAP commands before certain releases. Those symbols were concatenated into the command string without proper escaping, enabling an attacker to inject carriage‑return line‑feed (CRLF) sequences and additional IMAP commands. This flaw can lead to arbitrary IMAP command execution on the server side, potentially leaking data, altering mailbox contents, or performing privileged operations. The weakness is classified as command injection (CWE‑77) and involves improper neutralization of special elements in a command context (CWE‑93).

Affected Systems

Versions of the ruby:net-imap package older than 0.4.24, 0.5.14, and 0.6.4 are affected. The library is distributed as a Ruby gem and used by applications that rely on IMAP client capabilities.

Risk and Exploitability

The CVSS score is 5.8, indicating moderate severity. Exploitation requires an attacker who can influence the data sent to the IMAP client, such as through an application that forwards user input to IMAP commands. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. If an attacker can supply untrusted symbol arguments, they could inject additional IMAP commands, potentially compromising data confidentiality or integrity on the server.

Generated by OpenCVE AI on May 9, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ruby:net-imap to at least version 0.4.24, 0.5.14, or 0.6.4, which contain the patch for command injection.
  • Review application code to ensure that no user-supplied values are passed as symbols to IMAP methods. Replace Symbol arguments with validated strings or whitelist safe command arguments.
  • Implement network-level controls to restrict communication to trusted IMAP servers and monitor for anomalous command patterns that may indicate injection attempts.

Generated by OpenCVE AI on May 9, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-75xq-5h9v-w6px net-imap vulnerable to command Injection via unvalidated Symbol inputs
History

Mon, 18 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Ruby-lang net\
CPEs cpe:2.3:a:ruby-lang:net\:\:imap:*:*:*:*:*:ruby:*:*
Vendors & Products Ruby-lang net\
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Ruby-lang
Ruby-lang net::imap
Vendors & Products Ruby-lang
Ruby-lang net::imap

Sat, 09 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Title net-imap: Command Injection via unvalidated Symbol inputs
Weaknesses CWE-77
CWE-93
References
Metrics cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Ruby-lang Net::imap Net\
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T14:57:24.039Z

Reserved: 2026-04-26T11:53:27.704Z

Link: CVE-2026-42258

cve-icon Vulnrichment

Updated: 2026-05-11T14:57:20.913Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-09T20:16:28.623

Modified: 2026-05-18T18:02:35.790

Link: CVE-2026-42258

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T20:00:05Z

Weaknesses