CVE-2026-42257

CRITICAL

net-imap: Command Injection via "raw" arguments to multiple commands

Title source: cna

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

References (4)

Core 4

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg

X_Refsource_Misc x_refsource_misc

https://github.com/ruby/net-imap/releases/tag/v0.4.24

X_Refsource_Misc x_refsource_misc

https://github.com/ruby/net-imap/releases/tag/v0.5.14

X_Refsource_Misc x_refsource_misc

https://github.com/ruby/net-imap/releases/tag/v0.6.4

Scores

CVSS v3 9.8

EPSS 0.0002

EPSS Percentile 3.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-77 CWE-93

Status published

Products (7)

ruby/net-imap < 0.4.24

ruby/net-imap >= 0.5.0, < 0.5.14

ruby/net-imap >= 0.6.0, < 0.6.4

ruby-lang/net\ < 0.4.24

rubygems/net-imap 0 - 0.4.24RubyGems

rubygems/net-imap 0.5.0 - 0.5.14RubyGems

rubygems/net-imap 0.6.0 - 0.6.4RubyGems

Published May 09, 2026

Tracked Since May 10, 2026