Posted by nevans on 10 Feb 2025
There is a possibility for DoS by in the net-imap gem. This vulnerability has been assigned the CVE identifier CVE-2025-25186. We recommend upgrading the net-imap gem.
Details
A malicious server can send highly compressed uid-set data which is automatically read by the client’s receiver thread. The response parser uses Range#to_a to convert the uid-set data into arrays of integers, with no limitation on the expanded size of the ranges.
Please update net-imap gem to version 0.3.8, 0.4.19, 0.5.6, or later.
Affected versions
- net-imap gem versions 0.3.2 to 0.3.7, 0.4.0 to 0.4.18, and 0.5.0 to 0.5.5 (inclusive).
Credits
Thanks to manun for discovering this issue.
History
- Originally published at 2025-02-10 03:00:00 (UTC)