CVE-2026-42257
Received Received - Intake
IMAP Command Injection in Ruby Net::IMAP

Publication date: 2026-05-09

Last updated on: 2026-05-18

Assigner: GitHub, Inc.

Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-09
Last Modified
2026-05-18
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42257
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
ruby-lang net to 0.4.24 (exc)
ruby-lang net From 0.5.0 (inc) to 0.5.14 (exc)
ruby-lang net From 0.6.0 (inc) to 0.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42257 is a command injection vulnerability in the ruby/net-imap library affecting versions 0.6.0 to 0.6.3, 0.5.0 to 0.5.13, and 0.0.0 to 0.4.23.

The issue occurs because several IMAP commands (such as uid_search, search, uid_fetch, fetch, uid_store, store, setquota) accept raw string arguments that are sent directly to the IMAP server without validation or escaping.

If these raw strings are derived from user-controlled input, an attacker can inject CRLF (Carriage Return Line Feed) sequences to append arbitrary IMAP commands, potentially manipulating the mail server.

This vulnerability is particularly risky for applications that dynamically build search queries or fetch attributes from user input, like mail clients or archival tools.

The vulnerability has been patched in versions 0.4.24, 0.5.14, and 0.6.4 by validating raw data inputs and avoiding unsafe usage of Net::IMAP::RawData.

Impact Analysis

An attacker exploiting this vulnerability can inject arbitrary IMAP commands into the communication with the mail server.

This could allow actions such as deleting mailboxes or modifying mail data without proper authorization.

Applications that accept user input to build IMAP commands dynamically, like mail clients or archival tools, are especially at risk.

The vulnerability could lead to privilege escalation or unauthorized manipulation of mail data if inputs are not properly validated.

Temporary mitigations include validating input strings to exclude CRLF characters or restricting inputs to trusted values.

Detection Guidance

This vulnerability involves injection of CRLF sequences into IMAP commands sent by the Net::IMAP client library when user-controlled input is passed without validation. Detection involves monitoring IMAP traffic for suspicious command injections or unexpected CRLF sequences in commands such as uid_search, search, uid_fetch, fetch, uid_store, store, and setquota.

Since the vulnerability is in the client library, detection on the network could involve inspecting IMAP command payloads for embedded CRLF sequences that could indicate injection attempts.

No specific detection commands are provided in the resources, but general approaches include:

  • Using network packet capture tools (e.g., tcpdump, Wireshark) to capture IMAP traffic and filter for commands containing CRLF sequences.
  • Searching application logs or debug output for IMAP commands that include unexpected line breaks or multiple commands concatenated.
  • Reviewing source code or configuration to identify usage of vulnerable Net::IMAP versions and raw string arguments passed to IMAP commands.
Mitigation Strategies

The primary mitigation is to upgrade the ruby/net-imap library to a patched version: 0.4.24, 0.5.14, or 0.6.4 or later.

If upgrading immediately is not possible, temporary mitigations include validating all raw string inputs passed to IMAP commands to ensure they do not contain CRLF sequences.

Restrict inputs to trusted values and avoid passing user-controlled input directly to vulnerable IMAP commands such as uid_search, search, uid_fetch, fetch, uid_store, store, and setquota.

Compliance Impact

The provided information does not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42257. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart