CVE-2026-42257
IMAP Command Injection in Ruby Net::IMAP
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ruby | net_imap | From 0.6.4 (exc) to 0.6.4 (exc) |
| ruby | net_imap | From 0.6.0 (inc) to 0.6.4 (exc) |
| ruby | net_imap | From 0.5.0 (inc) to 0.5.14 (exc) |
| ruby | net_imap | From 0.0.0 (inc) to 0.4.24 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42257 is a command injection vulnerability in the ruby/net-imap library affecting versions 0.6.0 to 0.6.3, 0.5.0 to 0.5.13, and 0.0.0 to 0.4.23.
The issue occurs because several IMAP commands (such as uid_search, search, uid_fetch, fetch, uid_store, store, setquota) accept raw string arguments that are sent directly to the IMAP server without validation or escaping.
If these raw strings are derived from user-controlled input, an attacker can inject CRLF (Carriage Return Line Feed) sequences to append arbitrary IMAP commands, potentially manipulating the mail server.
This vulnerability is particularly risky for applications that dynamically build search queries or fetch attributes from user input, like mail clients or archival tools.
The vulnerability has been patched in versions 0.4.24, 0.5.14, and 0.6.4 by validating raw data inputs and avoiding unsafe usage of Net::IMAP::RawData.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can inject arbitrary IMAP commands into the communication with the mail server.
This could allow actions such as deleting mailboxes or modifying mail data without proper authorization.
Applications that accept user input to build IMAP commands dynamically, like mail clients or archival tools, are especially at risk.
The vulnerability could lead to privilege escalation or unauthorized manipulation of mail data if inputs are not properly validated.
Temporary mitigations include validating input strings to exclude CRLF characters or restricting inputs to trusted values.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves injection of CRLF sequences into IMAP commands sent by the Net::IMAP client library when user-controlled input is passed without validation. Detection involves monitoring IMAP traffic for suspicious command injections or unexpected CRLF sequences in commands such as uid_search, search, uid_fetch, fetch, uid_store, store, and setquota.
Since the vulnerability is in the client library, detection on the network could involve inspecting IMAP command payloads for embedded CRLF sequences that could indicate injection attempts.
No specific detection commands are provided in the resources, but general approaches include:
- Using network packet capture tools (e.g., tcpdump, Wireshark) to capture IMAP traffic and filter for commands containing CRLF sequences.
- Searching application logs or debug output for IMAP commands that include unexpected line breaks or multiple commands concatenated.
- Reviewing source code or configuration to identify usage of vulnerable Net::IMAP versions and raw string arguments passed to IMAP commands.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the ruby/net-imap library to a patched version: 0.4.24, 0.5.14, or 0.6.4 or later.
If upgrading immediately is not possible, temporary mitigations include validating all raw string inputs passed to IMAP commands to ensure they do not contain CRLF sequences.
Restrict inputs to trusted values and avoid passing user-controlled input directly to vulnerable IMAP commands such as uid_search, search, uid_fetch, fetch, uid_store, store, and setquota.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.