Skip to main content

net-imap CVE-2026-42257

MEDIUM
Command Injection (CWE-77)
2026-05-04 https://github.com/ruby/net-imap GHSA-hm49-wcqc-g2xg
Medium
Disputed · 5.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
GitHub Advisory PRIMARY
5.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
CRITICAL
qualitative
Red Hat
6.1 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
May 09, 2026 - 20:22 NVD
5.8 (MEDIUM)
Source Code Evidence Fetched
May 04, 2026 - 22:31 vuln.today
Analysis Generated
May 04, 2026 - 22:31 vuln.today

DescriptionGitHub Advisory

Summary

Several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands.

Details

Net::IMAP's generic argument handling, used by most command arguments, interprets string arguments as an IMAP astring. Depending on the string contents and the connection's UTF-8 support, this encodes strings as either a atom, quoted, or literal. These are safe from command or argument injection.

But the following commands transform specific String arguments to Net::IMAP::RawData, which bypasses normal argument validation and encoding and prints the string directly to the socket:

  • #uid_search, #search
  • when criteria is a String, it is sent raw
  • #uid_fetch, #fetch
  • when attr is a String, it is sent raw
  • when attr is an Array, each String in attr is sent raw
  • #uid_store, #store
  • when attr is a String, it is sent raw
  • #setquota:
  • limit is interpolated with #to_s and that string is sent raw

Because these string arguments are sent without any neutralization, they serve as a direct vector for command splitting. Any user controlled data interpolated into these strings can be used to break out of the intended command context.

Using "raw data" arguments for #uid_store, #store, and #setquota I both inappropriate and unnecessary. Net::IMAP's generic argument handling is sufficient to safely validate and encode their arguments. Users of the library probably do not expect arguments to these commands to be sent raw and might not be wary of passing unvalidated input.

The API for search criteria and fetch attributes is intentionally low-level and "close to the wire". It allows developers to use some IMAP extensions without requiring explicit support from the library and allows developers to use complex IMAP grammar without complex argument translation. Even so, basic validation is appropriate and could neutralize command injection.

Although this was explicitly documented for search criteria, it was insufficiently documented for fetch attr. So developers may not have realized that the attr argument to #fetch and #uid_fetch is sent as "raw data".

Impact

If a developer passes an unvalidated user-controlled input for one of these method arguments, an attacker can append CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not _directly_ enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system's attributes, e.g.: shared mail folders or the application's installed response handlers.

The SEARCH, STORE, and FETCH commands, and their UID variants are some of the most commonly used features of the library. Applications that build search queries or fetch attributes dynamically based on user input (e.g., mail clients or archival tools) may be at significant risk.

Expected use of Net::IMAP#setquota is much more limited: SETQUOTA is often only usable by users with special administrative privileges. Depending on the server, quota administration might be managed through server configuration rather than via the IMAP protocol SETQUOTA command. It is expected to be uncommonly used in system administration scripts or in interactive sessions, it should be completely controlled by trusted users, and should only use trusted inputs. Calling #setquota with untrusted user input is expected to be a very uncommon use case. Please note however this might be combined with other attacks, for example CSRF, which provide unauthorized access to trusted inputs, and may specifically target users or scripts with administrator privileges.

Mitigation

  • Update to a patched version of net-imap which:
  • validates that Net::IMAP::RawData is composed of well-formed IMAP text, literal, and literal8 values, with no unescaped NULL, CR, or LF bytes.
  • does not use Net::IMAP::RawData for #store, #uid_store, or #setquota.
  • Prefer to send search criteria as an array of key value pairs. Avoid sending it as an interpolated string.
  • If an immediate upgrade is not possible:
  • String inputs to search criteria and fetch attributes can be validated against command injection by checking for \r and \n characters.
  • Hard-coding the store attr argument is often appropriate. Alternatively, user controlled inputs can be restricted to a small enumerated list which is valid for the calling application.
  • Use Kernel#Integer to coerce and validate user controlled inputs to #setquota limit.

AnalysisAI

Command injection in net-imap library allows attackers to inject arbitrary IMAP commands by supplying unvalidated user input to multiple methods that send raw, unescaped strings to the IMAP server. The #search, #uid_search, #fetch, #uid_fetch, #store, #uid_store, and #setquota methods accept string arguments that bypass normal validation and encoding, enabling CRLF injection to break command context. Applications that dynamically construct search criteria, fetch attributes, or quota limits from user input are at significant risk; a developer passing unsanitized input could allow an attacker to append malicious IMAP commands such as DELETE or other state-modifying operations.

Technical ContextAI

Net::IMAP is the Ruby standard library for IMAP protocol communication. Most command arguments are safely handled by generic argument processing that encodes strings as IMAP astring values (atom, quoted, or literal), which prevents injection. However, specific methods bypass this protection by converting string arguments to Net::IMAP::RawData objects, which send the string directly to the socket without validation or escaping. The vulnerability stems from CWE-77 (Improper Neutralization of Special Elements used in a Command), where CRLF characters (carriage return and line feed) in raw strings allow command splitting. The affected methods are search/uid_search (criteria argument), fetch/uid_fetch (attr argument as string or array of strings), store/uid_store (attr argument), and setquota (limit argument after string interpolation). The IMAP protocol uses CRLF as command delimiters, making unescaped CRLF sequences a direct injection vector.

RemediationAI

Vendor-released patches are available: upgrade to net-imap 0.6.4 (for 0.6.x users), 0.5.14 (for 0.5.x users), or 0.4.24 (for 0.4.x users) immediately, as these versions add RawData validation and remove RawData usage from #store, #uid_store, and #setquota methods. If immediate upgrade is not possible, implement the following mitigations from the vendor advisory: for search criteria and fetch attributes, pass an array of key-value pairs instead of interpolated strings; validate string inputs against CRLF characters by checking for '\r' and '\n' before passing to these methods; hard-code the attr argument to #store and #uid_store rather than deriving it from user input, or restrict user-controlled inputs to a whitelist of valid attribute names; use Kernel#Integer to coerce and validate user-controlled inputs to #setquota limit argument. See the GitHub advisory at https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg for detailed guidance on each method.

Vendor StatusVendor

SUSE

Severity: Critical

Share

CVE-2026-42257 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy