Ruby Net::IMAP Denial-of-Service Vulnerability Due to Quadratic Response Processing

A denial-of-service vulnerability has been identified in the Ruby Net::IMAP library, specifically in the ResponseReader component. This issue arises from a quadratic time complexity when the reader processes large responses filled with string literals. A malicious server can exploit this behavior, causing excessive CPU usage on the client side. The vulnerability affects Net::IMAP versions 0.4.0 through 0.4.23, 0.5.0 through 0.5.13, and 0.6.0 through 0.6.3.

Impact

Exploitation of this vulnerability leads to significant CPU exhaustion in the client's receiver thread, causing a denial-of-service condition. This effect is magnified with larger responses, particularly those that approach the default maximum response size.

Reproduction

The vulnerability can be reproduced by sending a crafted IMAP response that includes multiple string literals. This can be done by an untrusted server during an IMAP session.

Remediation

Users can upgrade to Net::IMAP versions 0.4.24, 0.5.14, or 0.6.4, all of which include the necessary performance improvements to address this vulnerability.