Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
References
| Link | Resource |
|---|---|
| https://github.com/ruby/net-imap/releases/tag/v0.4.24 | Release Notes |
| https://github.com/ruby/net-imap/releases/tag/v0.5.14 | Release Notes |
| https://github.com/ruby/net-imap/releases/tag/v0.6.4 | Release Notes |
| https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg | Mitigation Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
18 May 2026, 17:59
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/ruby/net-imap/releases/tag/v0.4.24 - Release Notes | |
| References | () https://github.com/ruby/net-imap/releases/tag/v0.5.14 - Release Notes | |
| References | () https://github.com/ruby/net-imap/releases/tag/v0.6.4 - Release Notes | |
| References | () https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg - Mitigation, Vendor Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
| First Time |
Ruby-lang net\
Ruby-lang |
|
| CPE | cpe:2.3:a:ruby-lang:net\:\:imap:*:*:*:*:*:ruby:*:* |
09 May 2026, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-09 20:16
Updated : 2026-05-18 17:59
NVD link : CVE-2026-42257
Mitre link : CVE-2026-42257
CVE.ORG link : CVE-2026-42257
JSON object : View
Products Affected
ruby-lang
- net\