QwikSec

Security Database

CVE

CWE

Training

CVE-2025-25186

Published: Feb 10, 2025

Modified: Feb 12, 2025

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time while the client is connected, a malicious server can send can send highly compressed `uid-set` data which is automatically read by the client's receiver thread. The response parser uses `Range#to_a` to convert the `uid-set` data into arrays of integers, with no limitation on the expanded size of the ranges. Versions 0.3.8, 0.4.19, 0.5.6, and higher fix this issue. Additional details for proper configuration of fixed versions and backward compatibility are available in the GitHub Security Advisory.

Vendor	Product	Versions
ruby	net-imap	affected `>= 0.3.2, < 0.3.8` affected `>= 0.4.0, < 0.4.19` affected `>= 0.5.0, < 0.5.6`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69

x_refsource_CONFIRM

https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35

x_refsource_MISC

https://github.com/ruby/net-imap/commit/c8c5a643739d2669f0c9a6bb9770d0c045fd74a3

x_refsource_MISC

https://github.com/ruby/net-imap/commit/cb92191b1ddce2d978d01b56a0883b6ecf0b1022

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.