CVE-2026-47241
Deferred Deferred - Pending Action

Command Injection in Ruby Net::IMAP

Vulnerability report for CVE-2026-47241, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed. This vulnerability is fixed in 0.6.5 and 0.5.15.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-12
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
ruby net_imap to 0.6.5 (exc)
ruby net_imap to 0.5.15 (exc)
ruby net_imap 0.5.15
ruby net_imap 0.6.4.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-162 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.
CWE-186 A regular expression is overly restrictive, which prevents dangerous values from being detected.
CWE-182 The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Net::IMAP library, which implements IMAP client functionality in Ruby. Before versions 0.6.5 and 0.5.15, some Net::IMAP commands accept a raw string argument that is only checked to prevent CRLF injection but is otherwise sent exactly as provided.

If this raw string comes from user input, an attacker can manipulate it so that the next IMAP command is treated as a continuation of the first command. This causes the first command to fail eventually but also blocks it from returning a response until another command is sent from a different thread.

The other command will then not return until the connection is closed, effectively causing a denial of service or blocking behavior. This issue was fixed in versions 0.6.5 and 0.5.15 of Net::IMAP.

Impact Analysis

This vulnerability can impact you by causing IMAP commands to hang or block indefinitely, leading to denial of service conditions in applications using vulnerable versions of Net::IMAP.

An attacker who can supply user-controlled input to these commands can exploit this behavior to disrupt normal IMAP client operations, potentially affecting email retrieval or processing.

Mitigation Strategies

To mitigate this vulnerability, update the Net::IMAP library to version 0.6.5 or later, or 0.5.15 or later, where the issue has been fixed.

Compliance Impact

This vulnerability primarily causes denial of service conditions by allowing an attacker to manipulate command parsing, leading to command failure and hanging threads. It does not directly impact confidentiality or integrity of data.

Since the vulnerability does not result in unauthorized data access or data leakage, its impact on compliance with standards like GDPR or HIPAAβ€”which focus heavily on protecting personal data confidentiality and integrityβ€”is limited.

However, the potential availability issues caused by denial of service could indirectly affect compliance if critical services become unavailable, as availability is a component of many security frameworks.

Detection Guidance

This vulnerability can be detected by monitoring for unusual IMAP client behavior such as commands that hang or do not return promptly, especially in multi-threaded environments where one command waits indefinitely for another thread's command to complete.

Specifically, detection involves checking for Net::IMAP commands that include raw string arguments ending with "}" or patterns like "{0}" or "{0+}", which are known to bypass validation and cause the issue.

To detect this on your system, you can capture and analyze IMAP traffic for such suspicious command patterns.

  • Use network packet capture tools like tcpdump or Wireshark to capture IMAP traffic on port 143 or 993.
  • Filter captured traffic for IMAP commands containing raw string arguments ending with "}" or "{0}" or "{0+}".
  • Example tcpdump command to capture IMAP traffic: tcpdump -i <interface> port 143 or port 993 -w imap_traffic.pcap
  • Analyze the capture file with Wireshark or tshark to filter IMAP commands with suspicious patterns.
  • If you have access to the Ruby environment, check the version of the ruby/net-imap gem to ensure it is updated to 0.6.5 or 0.5.15 or later, as these versions contain the fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47241. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart