CVE-2026-47240
Deferred Deferred - Pending Action

CRLF Command Injection in Ruby Net::IMAP

Vulnerability report for CVE-2026-47240, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals. A server without support for non-synchronizing literals may interpret the "+}\r\n" as the end of a malformed command line and respond with a tagged BAD. In that case, the contents of the literal will be interpreted as one or more new pipelined commands, allowing a CRLF command injection attack to succeed. This affects criteria for #search and #uid_search; search_keys for #sort, #thread, #uid_sort, and #uid_thread; and attr for #fetch and #uid_fetch. This vulnerability is fixed in 0.6.5 and 0.5.15.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-12
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ruby net_imap to 0.5.15 (inc)
ruby net_imap to 0.6.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows command injection via malformed IMAP commands, potentially enabling attackers to execute arbitrary IMAP commands such as deleting mailboxes if unvalidated user input is passed. This could lead to unauthorized access or manipulation of sensitive email data.

Such unauthorized access or data manipulation could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and modification.

Mitigating this vulnerability by updating to patched versions or validating inputs is essential to maintain compliance with these regulations.

Executive Summary

This vulnerability exists in the Net::IMAP Ruby library, which implements IMAP client functionality. Prior to versions 0.6.5 and 0.5.15, certain Net::IMAP commands accept a "raw data" argument that is sent after validation intended to prevent command injection. However, if the IMAP server does not support non-synchronizing literals, it may interpret the data incorrectly, allowing an attacker to inject arbitrary IMAP commands. This happens because the server may treat the end of a malformed command line as the end of a command and then interpret the literal contents as new commands, enabling a CRLF (Carriage Return Line Feed) command injection attack.

The affected commands include #search, #uid_search, #sort, #thread, #uid_sort, #uid_thread, #fetch, and #uid_fetch. The vulnerability was fixed in versions 0.6.5 and 0.5.15 of Net::IMAP.

Impact Analysis

This vulnerability can allow an attacker to perform command injection attacks against an IMAP server when using vulnerable versions of the Net::IMAP client library. By injecting arbitrary IMAP commands, an attacker could potentially manipulate or disrupt email operations, access unauthorized data, or cause denial of service conditions depending on the server's response to injected commands.

Mitigation Strategies

To mitigate this vulnerability, upgrade the Net::IMAP library to version 0.6.5 or later, or 0.5.15 or later, where the issue has been fixed.

Detection Guidance

This vulnerability involves command injection via non-synchronizing literals in IMAP commands sent by the ruby/net-imap library. Detection involves monitoring IMAP traffic for unusual or malformed command sequences that could indicate injection attempts.

Specifically, you can look for IMAP commands containing non-synchronizing literals (such as LITERAL+, LITERAL-, or IMAP4rev2) that are not supported by the server, which may cause the server to interpret injected commands following a "+}\r\n" sequence.

To detect this on your system or network, you can capture and analyze IMAP traffic using tools like tcpdump or Wireshark, filtering for IMAP commands and inspecting literals for suspicious patterns.

  • Use tcpdump to capture IMAP traffic: tcpdump -i <interface> -s 0 -w imap_traffic.pcap port 143 or port 993
  • Analyze the captured traffic in Wireshark, filtering for IMAP commands and looking for literals containing "+}\r\n" sequences or unexpected command injections.
  • On the system running ruby/net-imap, check the version of the library to identify if it is vulnerable (versions between 0.6.0 to 0.6.4 and 0.5.0 to 0.5.14 are affected).

There are no specific built-in commands provided in the advisory for direct detection, so manual inspection of IMAP traffic and library version checking are recommended.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47240. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart