Posted by nevans on 28 Apr 2025
There is a possibility for DoS by in the net-imap gem. This vulnerability has been assigned the CVE identifier CVE-2025-43857. We recommend upgrading the net-imap gem.
Details
A malicious server can send can send a “literal” byte count which is automatically read by the client’s receiver thread. The response reader immediately allocates memory for the number of bytes indicated by the server response. This should not be an issue when securely connecting to trusted IMAP servers that are well-behaved. It affects insecure connections and buggy, untrusted, or compromised servers (for example, connecting to a user supplied hostname).
Please update net-imap gem to version 0.2.5, 0.3.9, 0.4.20, 0.5.7, or later.
When connecting to untrusted servers or using an insecure connection, max_response_size and response handlers must be configured appropriately to limit memory consumption. See GHSA-j3g3-5qv5-52mj for more details.
Affected versions
net-imap gem versions <= 0.2.4, 0.3.0 to 0.3.8, 0.4.0 to 0.4.19, and 0.5.0 to 0.5.6.
Credits
Thanks to Masamune for discovering this issue.
History
- Originally published at 2025-04-28 16:02:04 (UTC)