CVE-2026-47241 - Vulnerability Details

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed. This vulnerability is fixed in 0.6.5 and 0.5.15.

Published: 2026-06-22

Score: 2.1 Low

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Net::IMAP library accepts raw string arguments in several commands and only validates them to prevent CRLF injection. If an attacker supplies a user-controlled raw string, the next IMAP command may be interpreted as a continuation of the first command. This causes the original command to fail and hang until another command from a different thread is sent, which will in turn not return until the I/O connection is closed, resulting in a denial‑of‑service condition for the client application.

Affected Systems

The issue affects the Ruby Net::IMAP client. Versions prior to 0.6.5 for the 0.6 branch and prior to 0.5.15 for the 0.5 branch are vulnerable. Upgrading to 0.6.5 or 0.5.15 removes the flaw.

Risk and Exploitability

The vulnerability has a CVSS score of 2.1, indicating low severity, and there is no EPSS score available. It is not listed in CISA's KEV catalog. The most likely attack vector is an application that forwards untrusted input directly to the Net::IMAP library; the attacker needs the ability to send crafted IMAP commands from a user-controlled context. Because the exploit requires a specific client use case, the risk of widespread exploitation is limited, but it can cause a denial of service to the impacted application.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ruby

net-imap

affected

Version	Status	Constraints
`>= 0.6.0, < 0.6.4.1`	affected	—
`< 0.5.15`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Ruby Net::IMAP gem to version 0.6.5 or 0.5.15, whichever applies to your codebase.
Validate or sanitize any user‑controlled input before passing it to Net::IMAP commands, ensuring no CRLF or raw command injection can occur.
Implement connection timeouts or retry logic to detect and recover from hung IMAP commands, mitigating temporary loss of service.

Generated by OpenCVE AI on June 22, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-c4fp-cxrr-mj66	Net::IMAP: Denial of Service via incomplete raw argument validation

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/ruby/net-imap/security/advisories/GHSA-c4fp-cxrr-mj66

History

Mon, 22 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed. This vulnerability is fixed in 0.6.5 and 0.5.15.
Title		Net::IMAP: Denial of Service via incomplete raw argument validation
Weaknesses		CWE-162 CWE-182 CWE-186
References		https://github.com/ruby/net-imap/security/advisories/GHSA-c4fp-cxrr-mj66
Metrics		cvssV4_0 `{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-22T20:11:04.329Z

Updated: 2026-06-22T20:11:04.329Z

Reserved: 2026-05-18T22:54:18.272Z

Link: CVE-2026-47241

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-22T23:00:11Z

Weaknesses

CWE-162
Improper Neutralization of Trailing Special Elements
CWE-182
Collapse of Data into Unsafe Value
CWE-186
Overly Restrictive Regular Expression

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object