Denial of Service Vulnerability in Ruby's Net::IMAP Implementation
CVE-2026-42245

2.3LOW

Key Information:

Vendor

Ruby

Status
Net-imap
Vendor
CVE Published:
9 May 2026

What is CVE-2026-42245?

The Net::IMAP library in Ruby, which provides IMAP client functionality, is affected by an issue where the ResponseReader can experience quadratic time complexity when processing large responses with multiple string literals. This could enable a malicious server to construct responses capable of consuming excessive CPU resources, potentially leading to a denial of service condition. The problem has been addressed in subsequent releases 0.4.24, 0.5.14, and 0.6.4, which optimize the handling of IMAP responses.

Affected Version(s)

net-imap < 0.4.24 < 0.4.24

net-imap >= 0.5.0, < 0.5.14 < 0.5.0, 0.5.14

net-imap >= 0.6.0, < 0.6.4 < 0.6.0, 0.6.4

References

https://github.com/ruby/net-imap/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/ruby/net-imap/commit/6091f7d6b1f3514ca...
x_refsource_MISC
https://github.com/ruby/net-imap/commit/88d95231fc8afef11...
x_refsource_MISC

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.