CVE-2026-42258

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

CVSS breakdown

CVSS 4.0

Attack Vector

Local

Attack Complexity

High

Attack Requirements

Present

Privileges Required

None

User Interaction

Passive

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

High

Availability (Vulnerable System)

Low

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

ruby / net-imap< 0.4.24 – < 0.4.24
ruby / net-imap>= 0.5.0, < 0.5.14 – >= 0.5.0, < 0.5.14
ruby / net-imap>= 0.6.0, < 0.6.4 – >= 0.6.0, < 0.6.4

References

VENDOR_ADVISORYhttps://github.com/ruby/net-imap/security/advisories/GHSA-75xq-5h9v-w6px
PATCHhttps://github.com/ruby/net-imap/releases/tag/v0.4.24
PATCHhttps://github.com/ruby/net-imap/releases/tag/v0.5.14
PATCHhttps://github.com/ruby/net-imap/releases/tag/v0.6.4