CVE-2025-25186

{"id": "CVE-2025-25186", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-02-10T16:15:39.457", "references": [{"url": "https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35", "source": "security-advisories@github.com"}, {"url": "https://github.com/ruby/net-imap/commit/c8c5a643739d2669f0c9a6bb9770d0c045fd74a3", "source": "security-advisories@github.com"}, {"url": "https://github.com/ruby/net-imap/commit/cb92191b1ddce2d978d01b56a0883b6ecf0b1022", "source": "security-advisories@github.com"}, {"url": "https://github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-405"}, {"lang": "en", "value": "CWE-409"}, {"lang": "en", "value": "CWE-770"}, {"lang": "en", "value": "CWE-789"}, {"lang": "en", "value": "CWE-1287"}]}], "descriptions": [{"lang": "en", "value": "Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time while the client is connected, a malicious server can send can send highly compressed `uid-set` data which is automatically read by the client's receiver thread. The response parser uses `Range#to_a` to convert the `uid-set` data into arrays of integers, with no limitation on the expanded size of the ranges. Versions 0.3.8, 0.4.19, 0.5.6, and higher fix this issue. Additional details for proper configuration of fixed versions and backward compatibility are available in the GitHub Security Advisory."}, {"lang": "es", "value": "Net::IMAP implementa la funcionalidad del cliente del Protocolo de acceso a mensajes de Internet (IMAP) en Ruby. A partir de la versi\u00f3n 0.3.2 y antes de las versiones 0.3.8, 0.4.19 y 0.5.6, existe la posibilidad de denegaci\u00f3n de servicio por agotamiento de la memoria en el analizador de respuestas de `net-imap`. En cualquier momento mientras el cliente est\u00e9 conectado, un servidor malintencionado puede enviar datos `uid-set` altamente comprimidos que son le\u00eddos autom\u00e1ticamente por el hilo receptor del cliente. El analizador de respuestas utiliza `Range#to_a` para convertir los datos `uid-set` en matrices de n\u00fameros enteros, sin limitaci\u00f3n en el tama\u00f1o expandido de los rangos. Las versiones 0.3.8, 0.4.19, 0.5.6 y posteriores solucionan este problema. Hay detalles adicionales para la configuraci\u00f3n adecuada de las versiones corregidas y la compatibilidad con versiones anteriores disponibles en el Aviso de seguridad de GitHub."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "security-advisories@github.com"}