Denial of Service in Ruby's Net::IMAP Client
CVE-2025-25186

6.5MEDIUM

Key Information:

Vendor

Ruby

Status
Net-imap
Vendor
CVE Published:
10 February 2025

What is CVE-2025-25186?

The Net::IMAP library in Ruby is susceptible to a denial of service attack due to a flaw in its response parser. Specifically, versions 0.3.2 through 0.3.7, as well as 0.4.0 through 0.4.18, and 0.5.0 through 0.5.5, allow a malicious server to send highly compressed uid-set data. This data can cause memory exhaustion as the response parser does not impose limits on the size of the expanded ranges when converting uid-set into arrays of integers. Users are encouraged to upgrade to versions 0.3.8, 0.4.19, 0.5.6 or later for protection against this vulnerability. For configuration details and backward compatibility guidance, refer to the GitHub Security Advisory.

Affected Version(s)

net-imap >= 0.3.2, < 0.3.8 < 0.3.2, 0.3.8

net-imap >= 0.4.0, < 0.4.19 < 0.4.0, 0.4.19

net-imap >= 0.5.0, < 0.5.6 < 0.5.0, 0.5.6

References

https://github.com/ruby/net-imap/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/ruby/net-imap/commit/70e3ddd071a94e450...
x_refsource_MISC
https://github.com/ruby/net-imap/commit/c8c5a643739d2669f...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-25186 : Denial of Service in Ruby's Net::IMAP Client