Home

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

PUBLISHED Reserved 2026-04-25 | Published 2026-05-09 | Updated 2026-05-09 | Assigner GitHub_M




LOW: 2.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-407: Inefficient Algorithmic Complexity

Product status

< 0.4.24
affected

>= 0.5.0, < 0.5.14
affected

>= 0.6.0, < 0.6.4
affected

References

github.com/...t-imap/security/advisories/GHSA-q2mw-fvj9-vvcw

github.com/...ommit/6091f7d6b1f3514cafbfe39c76f2b5d73de3ca96

github.com/...ommit/88d95231fc8afef11c1f074453f7d75b68c9dfda

github.com/...ommit/de685f91a4a4cc75eb80da898c2bf8af08d34819

github.com/ruby/net-imap/releases/tag/v0.4.24

github.com/ruby/net-imap/releases/tag/v0.5.14

github.com/ruby/net-imap/releases/tag/v0.6.4

cve.org (CVE-2026-42245)

nvd.nist.gov (CVE-2026-42245)

Download JSON