CVE-2026-42258
CRLF Injection in Ruby Net::IMAP
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ruby | net_imap | From 0.4.0 (inc) to 0.4.24 (exc) |
| ruby | net_imap | From 0.5.0 (inc) to 0.5.14 (exc) |
| ruby | net_imap | From 0.6.0 (inc) to 0.6.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-42258 is a command injection vulnerability in the ruby/net-imap gem affecting versions 0.6.0 to 0.6.3, 0.5.0 to 0.5.13, and 0.4.0 to 0.4.23.
The issue arises from unvalidated Symbol inputs used in IMAP commands, which can lead to CRLF injection and IMAP command injection.
Symbol arguments representing IMAP "system flags" are sent directly to the socket without validation, allowing attackers to inject malicious commands by appending CRLF sequences followed by new IMAP commands (e.g., DELETE mailbox).
The vulnerability stems from improper handling of user-controlled input converted to Symbols via #to_sym, which should never be used on untrusted input.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute unauthorized IMAP commands on the server by injecting malicious commands through unvalidated Symbol arguments.
Such unauthorized command execution could lead to actions like deleting mailboxes or other harmful operations on the IMAP server.
The severity of this issue is moderate, with a CVSS v4 base score of 5.8.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the ruby/net-imap gem to one of the patched versions: 0.6.4, 0.5.14, or 0.4.24.
Additionally, ensure that user input is never converted to Symbols using #to_sym, as this improper handling of untrusted input leads to the vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from unvalidated Symbol inputs used in IMAP commands within the ruby/net-imap gem. Detection involves identifying usage of vulnerable versions (0.6.0 to 0.6.3, 0.5.0 to 0.5.13, and 0.4.0 to 0.4.23) and monitoring for suspicious IMAP command injections that include CRLF sequences.
To detect exploitation attempts on your system or network, you can monitor IMAP traffic for unusual commands or injected sequences following symbol arguments. Network packet inspection tools like Wireshark or tcpdump can be used to capture IMAP traffic and look for CRLF injection patterns.
- Use tcpdump to capture IMAP traffic on port 143: tcpdump -i <interface> -s 0 -w imap_traffic.pcap port 143
- Analyze captured traffic with Wireshark and filter for IMAP commands containing suspicious CRLF sequences or unexpected commands following symbol arguments.
- Check your ruby/net-imap gem version in your environment with: gem list net-imap or inspect your Gemfile.lock to ensure it is updated to 0.6.4, 0.5.14, or 0.4.24 or later.
Additionally, review application logs for any unusual IMAP command usage or errors that might indicate attempted command injection.