Skip to main content

Ruby net-imap EUVDEUVD-2026-38350

| CVE-2026-47241 LOW
Improper Neutralization of Trailing Special Elements (CWE-162)
2026-06-09 https://github.com/ruby/net-imap GHSA-c4fp-cxrr-mj66
2.1
CVSS 4.0 · Vendor: https://github.com/ruby/net-imap

Severity by source

Vendor (https://github.com/ruby/net-imap) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/ruby/net-imap) · only source for this CVE.

CVSS VectorVendor: https://github.com/ruby/net-imap

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 22, 2026 - 21:39 NVD
2.1 (LOW)
Source Code Evidence Fetched
Jun 09, 2026 - 20:16 vuln.today
Analysis Generated
Jun 09, 2026 - 20:16 vuln.today

DescriptionCVE.org

Summary

Several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed.

Details

Net::IMAP::RawData was hardened in v0.6.4, v0.5.14, and v0.4.24 to reject string arguments that would smuggle an invalid literal-continuation marker onto the wire (CVE-2026-42257, GHSA-hm49-wcqc-g2xg). But the trailing-marker check uses an incorrect regex which does not match {0} or {0+}, so an attacker-controlled seach criteria or fetch attr string ending in {0} or {0+} passes validation and is sent verbatim. Since these arguments are sent as the last argument in the command, they will be followed by CRLF. Although the CRLF was intended to end the command, the server will interpret it as part of a literal prefix. This consumes the next command the client puts on the socket as additional arguments to the current command.

This affects the following command's arguments:

  • criteria for #search and #uid_search
  • search_keys for #sort, #thread, #uid_sort, and #uid_thread
  • attr for #fetch and #uid_fetch

The command which contained the attacker's raw data will not be able to complete until the _next_ command is issued. If commands are only sent from single thread, the first command will hang until the connection times out (most likely by the server closing the connection).

If a second command is sent _(from another thread)_, this would allow the server to respond to the first command. This combined command _will_ be invalid:

  • The {0}\r\n literal prohibits other arguments (such as a quoted string) from spanning both commands
  • It will be sent without the space delimiter which is required between arguments.
  • The second command's tag will not be a valid argument to any of the vulnerable commands.

So the server _should_ respond to the first command with a BAD response, which will raise a BadResponseError.

But, since the server never saw a second command, the second command will never receive a tagged response and the thread that sent it will hang until the connection is closed.

Impact

This will result in unexpected crashes and timeouts, which could be used to create a simple denial of service attack. This attack will present very similarly to common network issues or server issues which also result in commands hanging or unexpectedly raising exceptions. By itself, this does not allow command injection. But the confusion caused by these errors could lead to other downstream issues, especially in a multi-threaded environment.

Mitigation

Update to a patched version of net-imap which validates that RawData arguments may not end with literal continuation markers. If net-imap cannot be upgraded:

  • Validate that user input to the affected command arguments does not end with "}".
  • Use of Timeout or other standard strategies for slow connections and misbehaving servers will also mitigate the effects of this.

_Extra caution is required when issuing commands from multiple threads._ While net-imap does have rudimentary support for issuing commands from multiple threads, the user is responsible for synchronizing that commands are issued in a logically coherent order, and for ensuring that commands are only pipelined when it is safe to do so. Practically, this means that many commands cannot be safely pipelined together, and user code will often need to wait for state changing commands to successfully complete before issuing commands that rely on that state change.

AnalysisAI

{0} or {0+}`, allowing a smuggled literal-continuation marker to reach the IMAP server and cause it to absorb the next client command - hanging the issuing thread and, in multi-threaded environments, also the thread that sent the follow-up command. Rated low severity by the maintainers; no public exploit identified at time of analysis, but any application passing untrusted input to the affected raw argument parameters is at risk.

Technical ContextAI

The Ruby net-imap gem (pkg:rubygems/net-imap) implements the IMAP4rev1 client protocol. Several commands - #search, #uid_search, #sort, #thread, #uid_sort, #uid_thread, #fetch, #uid_fetch - accept raw string arguments (Net::IMAP::RawData) for criteria, search_keys, and attr parameters. Per the IMAP RFC, a string ending with {N}\r\n is a literal prefix, signaling that N bytes follow. The hardening added for CVE-2026-42257 used a regex to reject such markers, but the regex contained a logic error: it did not match the zero-length forms {0} or {0+}. CWE-162 (Improper Neutralization of Trailing Special Elements) precisely describes this root cause - a trailing special sequence passes an input filter because the filter's pattern is incomplete. When the malformed argument reaches the server, the CRLF that was meant to terminate the IMAP command is reinterpreted as part of the literal prefix {0}\r\n, so the server waits to read zero additional bytes before treating the next data on the socket as continuation of the current command.

RemediationAI

Upgrade net-imap to version 0.6.4.1 (for the 0.6.x line) or 0.5.15 (for the 0.5.x line), as confirmed by the GitHub release at https://github.com/ruby/net-imap/releases/tag/v0.6.4.1 and the security advisory GHSA-c4fp-cxrr-mj66. The fix corrects the trailing-marker regex in RawData validation to also reject strings ending in {0} or {0+}. If upgrading is not immediately possible, the advisory recommends validating that any user-supplied input to the affected command arguments does not end with the } character before passing it - this is a simple string-suffix check that trades off some flexibility in legitimate search criteria for protection against this bypass. Additionally, applying Timeout or similar slow-connection guards will limit the duration of any resulting hang, reducing the DoS impact but not preventing the malformed command from being sent. Extra synchronization is advised for multi-threaded applications issuing pipelined IMAP commands, as concurrent command threads amplify the hang duration.

Share

EUVD-2026-38350 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy