ruby-net-imap
Moderate fix3 remedies
cpe:2.3:a:ruby-lang:net::imap:*:*:*:*:ruby:*:*
Moderate fix3 remedies
- >= 0, <= 0.4.23
- >= 0.5.0, <= 0.5.13
- >= 0.6.0, <= 0.6.3
Ruby Net::IMAP CRLF Injection Vulnerability Allowing IMAP Command Injection
Vulnerability
Patched
A CRLF injection vulnerability has been identified in the Ruby Net::IMAP library, specifically in versions prior to 0.4.24, 0.5.14, and 0.6.4. This vulnerability allows for IMAP command injection through unvalidated Symbol arguments passed to IMAP commands. The issue arises because Symbol arguments, which represent IMAP 'system flags', are sent directly to the socket without proper validation. This lack of validation could be exploited to inject new commands by appending a CRLF sequence followed by a crafted Symbol argument.
Impact
Exploitation of this vulnerability allows for IMAP command injection, where an attacker can append additional commands to be executed by the IMAP server, potentially leading to unauthorized actions such as deleting mailboxes.
Remediation
Users are advised to upgrade to Net::IMAP versions 0.4.24, 0.5.14, or 0.6.4, all of which include the necessary patch. Additionally, ensure that user-controlled input is not allowed to directly influence the creation of Symbol arguments for IMAP commands.
Added: May 9, 2026, 8:25 PM
Updated: May 9, 2026, 8:25 PM
Vulnerability Rating
Custom Algorithm
spread
4.2impact
1.7exploitability
4.7remediation
7.7relevance
7.8threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.