Denial of Service Vulnerability in Ruby's Net::IMAP Client
CVE-2025-43857

6MEDIUM

Key Information:

Vendor

Ruby

Status
Net-imap
Vendor
CVE Published:
28 April 2025

What is CVE-2025-43857?

The Net::IMAP client in Ruby has a potential vulnerability that can lead to denial of service through memory exhaustion. When a client connects to an untrusted or compromised IMAP server, it may receive a manipulated server response that specifies a 'literal' byte count. This situation forces the client's receiver thread to allocate significant amounts of memory based on the server's claim, leading to potential memory depletion. This behavior poses a risk especially in insecure connections or when dealing with unreliable servers. The issue has been addressed in newer versions of the library.

Affected Version(s)

net-imap >= 0.5.0, < 0.5.7 < 0.5.0, 0.5.7

net-imap >= 0.4.0, < 0.4.20 < 0.4.0, 0.4.20

net-imap >= 0.3.0, < 0.3.9 < 0.3.0, 0.3.9

References

https://github.com/ruby/net-imap/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/ruby/net-imap/pull/442
x_refsource_MISC
https://github.com/ruby/net-imap/pull/444/commits/0ae8576...
x_refsource_MISC

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-43857 : Denial of Service Vulnerability in Ruby's Net::IMAP Client