Home

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

PUBLISHED Reserved 2026-04-26 | Published 2026-05-09 | Updated 2026-05-09 | Assigner GitHub_M




MEDIUM: 5.8CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')

Product status

< 0.4.24
affected

>= 0.5.0, < 0.5.14
affected

>= 0.6.0, < 0.6.4
affected

References

github.com/...t-imap/security/advisories/GHSA-75xq-5h9v-w6px

github.com/ruby/net-imap/releases/tag/v0.4.24

github.com/ruby/net-imap/releases/tag/v0.5.14

github.com/ruby/net-imap/releases/tag/v0.6.4

cve.org (CVE-2026-42258)

nvd.nist.gov (CVE-2026-42258)

Download JSON