CVE-2026-42258
Received Received - Intake
CRLF Injection in Ruby Net::IMAP

Publication date: 2026-05-09

Last updated on: 2026-05-18

Assigner: GitHub, Inc.

Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-09
Last Modified
2026-05-18
Generated
2026-06-19
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42258
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
ruby-lang net to 0.4.24 (exc)
ruby-lang net From 0.5.0 (inc) to 0.5.14 (exc)
ruby-lang net From 0.6.0 (inc) to 0.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-42258 is a command injection vulnerability in the ruby/net-imap gem affecting versions 0.6.0 to 0.6.3, 0.5.0 to 0.5.13, and 0.4.0 to 0.4.23.

The issue arises from unvalidated Symbol inputs used in IMAP commands, which can lead to CRLF injection and IMAP command injection.

Symbol arguments representing IMAP "system flags" are sent directly to the socket without validation, allowing attackers to inject malicious commands by appending CRLF sequences followed by new IMAP commands (e.g., DELETE mailbox).

The vulnerability stems from improper handling of user-controlled input converted to Symbols via #to_sym, which should never be used on untrusted input.

Impact Analysis

This vulnerability can allow attackers to execute unauthorized IMAP commands on the server by injecting malicious commands through unvalidated Symbol arguments.

Such unauthorized command execution could lead to actions like deleting mailboxes or other harmful operations on the IMAP server.

The severity of this issue is moderate, with a CVSS v4 base score of 5.8.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the ruby/net-imap gem to one of the patched versions: 0.6.4, 0.5.14, or 0.4.24.

Additionally, ensure that user input is never converted to Symbols using #to_sym, as this improper handling of untrusted input leads to the vulnerability.

Detection Guidance

This vulnerability arises from unvalidated Symbol inputs used in IMAP commands within the ruby/net-imap gem. Detection involves identifying usage of vulnerable versions (0.6.0 to 0.6.3, 0.5.0 to 0.5.13, and 0.4.0 to 0.4.23) and monitoring for suspicious IMAP command injections that include CRLF sequences.

To detect exploitation attempts on your system or network, you can monitor IMAP traffic for unusual commands or injected sequences following symbol arguments. Network packet inspection tools like Wireshark or tcpdump can be used to capture IMAP traffic and look for CRLF injection patterns.

  • Use tcpdump to capture IMAP traffic on port 143: tcpdump -i <interface> -s 0 -w imap_traffic.pcap port 143
  • Analyze captured traffic with Wireshark and filter for IMAP commands containing suspicious CRLF sequences or unexpected commands following symbol arguments.
  • Check your ruby/net-imap gem version in your environment with: gem list net-imap or inspect your Gemfile.lock to ensure it is updated to 0.6.4, 0.5.14, or 0.4.24 or later.

Additionally, review application logs for any unusual IMAP command usage or errors that might indicate attempted command injection.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42258. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart