Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals. A server without support for non-synchronizing literals may interpret the "+}\r\n" as the end of a malformed command line and respond with a tagged BAD. In that case, the contents of the literal will be interpreted as one or more new pipelined commands, allowing a CRLF command injection attack to succeed. This affects criteria for #search and #uid_search; search_keys for #sort, #thread, #uid_sort, and #uid_thread; and attr for #fetch and #uid_fetch. This vulnerability is fixed in 0.6.5 and 0.5.15.
Published: 2026-06-22
Score: 5.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::IMAP is a client library in Ruby that communicates with IMAP servers. The issue stems from how the library handles non‑synchronizing literals in several commands such as #search, #uid_search, #sort, #thread and #fetch. When an IMAP server does not support these literals, the literal terminator can be interpreted as a CRLF sequence, allowing the contents of the literal to be parsed as new IMAP commands. This bypasses the intended validation and permits a CRLF‑based command injection. An attacker able to supply a crafted literal can cause the Ruby client to send arbitrary IMAP commands to the server. Depending on the commands used, the attacker can read, delete or modify mail, alter mailbox state, or trigger a denial of service, thereby compromising confidentiality, integrity or availability.

Affected Systems

The vulnerable code resides in the Net::IMAP Ruby gem that provides IMAP client functionality. Systems using Net::IMAP versions prior to 0.6.5 in the 0.6.x line or prior to 0.5.15 in the 0.5.x line are exposed. Organizations that incorporate this gem into applications or scripts that construct raw IMAP commands, especially when connecting to servers that do not advertise support for non‑synchronizing literals, may be impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.8, indicating moderate severity. There is no EPSS score available, and the flaw is not listed in the CISA KEV catalogue. Exploitation requires that the target IMAP server lacks support for non‑synchronizing literals, meaning an attacker would need to control or manipulate the server or the network path between client and server. The potential for commandeering mailbox contents or disrupting service suggests that the risk to an affected system is significant, though the condition for exploitation limits its spread to environments where the server is misconfigured or legacy. Updating to the fixed gem versions removes the vulnerability.

Generated by OpenCVE AI on June 22, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the gem to Net::IMAP version 0.6.5 or 0.5.15 to eliminate the bug.
  • Verify that your IMAP server advertises support for non‑synchronizing literals; if not, consider disabling that feature or using a server version that does support it.
  • Sanitize any external data when constructing raw IMAP commands and restrict the use of the raw argument to trusted sources to mitigate similar injection risks.

Generated by OpenCVE AI on June 22, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8p34-64r3-mwg8 Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument
History

Mon, 22 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals. A server without support for non-synchronizing literals may interpret the "+}\r\n" as the end of a malformed command line and respond with a tagged BAD. In that case, the contents of the literal will be interpreted as one or more new pipelined commands, allowing a CRLF command injection attack to succeed. This affects criteria for #search and #uid_search; search_keys for #sort, #thread, #uid_sort, and #uid_thread; and attr for #fetch and #uid_fetch. This vulnerability is fixed in 0.6.5 and 0.5.15.
Title Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument
Weaknesses CWE-77
CWE-93
References
Metrics cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T20:17:15.376Z

Reserved: 2026-05-18T22:54:18.272Z

Link: CVE-2026-47240

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T23:00:11Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')