Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed. This vulnerability is fixed in 0.6.5 and 0.5.15.
Published: 2026-06-22
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Net::IMAP library accepts raw string arguments in several IMAP commands and only validates them to prevent CRLF injection. If an attacker supplies a user‑controlled raw string, the next IMAP command may be interpreted as a continuation of the first command. This causes the original command to fail and hang until another command from a different thread is sent, which will in turn not return until the I/O connection is closed, resulting in a denial‑of‑service condition for the client application. The issue aligns with several weaknesses, including CWE‑162, CWE‑182, CWE‑186, and CWE‑88.

Affected Systems

The issue affects the Ruby Net::IMAP client. Versions prior to 0.6.5 for the 0.6 branch and prior to 0.5.15 for the 0.5 branch are vulnerable. Upgrading to 0.6.5 or 0.5.15 removes the flaw.

Risk and Exploitability

The vulnerability has a CVSS score of 2.1, indicating low severity, and the EPSS score indicates a very low exploitation probability (< 1%). It is not listed in CISA’s KEV catalog. The underlying issue is improper raw argument validation, classified as CWE‑162, CWE‑182, CWE‑186, and CWE‑88. The most likely attack vector is an application that forwards untrusted input directly to the Net::IMAP library; the attacker needs the ability to send crafted IMAP commands from a user‑controlled context. Because the exploit requires a specific client use case, the risk of widespread exploitation is limited, but it can cause a denial of service to the impacted application.

Generated by OpenCVE AI on July 14, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ruby Net::IMAP gem to version 0.6.5 or 0.5.15, whichever applies to your codebase.
  • Validate or sanitize any user‑controlled input before passing it to Net::IMAP commands, ensuring no CRLF or raw command injection can occur.
  • Implement connection timeouts or retry logic to detect and recover from hung IMAP commands, mitigating temporary loss of service.

Generated by OpenCVE AI on July 14, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c4fp-cxrr-mj66 Net::IMAP: Denial of Service via incomplete raw argument validation
History

Thu, 02 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-88
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Ruby-lang
Ruby-lang net::imap
Vendors & Products Ruby-lang
Ruby-lang net::imap

Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed. This vulnerability is fixed in 0.6.5 and 0.5.15.
Title Net::IMAP: Denial of Service via incomplete raw argument validation
Weaknesses CWE-162
CWE-182
CWE-186
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Ruby-lang Net::imap
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T14:16:32.846Z

Reserved: 2026-05-18T22:54:18.272Z

Link: CVE-2026-47241

cve-icon Vulnrichment

Updated: 2026-06-23T14:16:29.139Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T20:11:04Z

Links: CVE-2026-47241 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T21:30:16Z

Weaknesses
  • CWE-162

    Improper Neutralization of Trailing Special Elements

  • CWE-182

    Collapse of Data into Unsafe Value

  • CWE-186

    Overly Restrictive Regular Expression

  • CWE-88

    Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')