Skip to main content

Ruby net-imap EUVDEUVD-2026-38352

| CVE-2026-47240 MEDIUM
Command Injection (CWE-77)
2026-06-09 https://github.com/ruby/net-imap GHSA-8p34-64r3-mwg8
5.8
CVSS 4.0 · Vendor: https://github.com/ruby/net-imap
Share

Severity by source

Vendor (https://github.com/ruby/net-imap) PRIMARY
5.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L

Primary rating from Vendor (https://github.com/ruby/net-imap).

CVSS VectorVendor: https://github.com/ruby/net-imap

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 22, 2026 - 21:39 NVD
5.8 (MEDIUM)
Source Code Evidence Fetched
Jun 09, 2026 - 20:16 vuln.today
Analysis Generated
Jun 09, 2026 - 20:16 vuln.today

DescriptionCVE.org

Several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals.

Details

Raw data arguments support embedded literal values, both synchronizing and non-synchronizing. Non-synchronizing literals can only be safely sent when the server advertises any of the LITERAL+, LITERAL-, or IMAP4rev2 capabilities. But raw data arguments do not verify server support for non-synchronizing literals prior to sending.

Servers without support for non-synchronizing literals could handle them in several different ways: If a server sees a "}\r\n" byte sequence but can't parse the literal bytesize, it _may_ cautiously decide to close the connection, blocking any command injection attacks. However, a server without support for non-synchronizing literals may instead interpret the "+}\r\n" as the end of a malformed command line and respond with a tagged BAD. In that case, the contents of the literal will be interpreted as one or more new pipelined commands, allowing a CRLF command injection attack to succeed.

This affects the following commands' string arguments:

  • criteria for #search and #uid_search
  • search_keys for #sort, #thread, #uid_sort, and #uid_thread
  • attr for #fetch and #uid_fetch

Prior to net-imap v0.6.4, v0.5.14, and v0.4.24, raw data arguments were not validated in _any_ way, so they were also vulnerable to this attack. See CVE-2026-42257 (GHSA-hm49-wcqc-g2xg).

Impact

Fortunately, LITERAL- is supported by most modern IMAP servers. Even without support for non-synchronizing literals, cautious servers may handle invalid literal bytesize by closing the connection . However, servers which handle a non-synchronizing literal just like any other malformed command will enable this vulnerability.

If a developer passes an unvalidated user-controlled input for one of these method arguments, an attacker can append CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not directly enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system's attributes, e.g.: shared mail folders or the application's installed response handlers.

Mitigation

Update to a version of net-imap which validates server support for non-synchronizing literals before sending them.

If upgrading net-imap is not possible:

  • Explicitly validate user-controlled inputs to prevent embedded non-synchronizing literals unless the server supports them.
  • For a simpler, more cautious approach: all embedded literals can be unconditionally prohibited, by checking that string inputs do not contain any CR or LF bytes.
  • Verify that the server advertises any of the LITERAL+, LITERAL-, or IMAP4rev2 capabilities before using untrusted string inputs for the affected "raw data" arguments.

AnalysisAI

CRLF command injection in Ruby's net-imap gem (CVE-2026-47240) enables attackers to inject arbitrary IMAP commands when applications pass unvalidated user-controlled input to raw data arguments of search, fetch, sort, and thread methods. Affected versions (>= 0.6.0 through 0.6.4, and <= 0.5.14) fail to verify that the connected IMAP server supports non-synchronizing literals before sending them, meaning servers without LITERAL+, LITERAL-, or IMAP4rev2 capability may interpret the malformed literal boundary as a pipelined command rather than closing the connection - allowing injected payloads such as DELETE mailbox to execute. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the advisory is rated moderate severity by the upstream maintainers and patches are available.

Technical ContextAI

The vulnerability resides in the Ruby standard library gem net-imap (pkg:rubygems/net-imap). The IMAP protocol distinguishes between synchronizing literals (which pause and await a server continuation before data is sent) and non-synchronizing literals (sent immediately, denoted by the {n+}\r\n syntax), the latter being valid only when the server advertises LITERAL+, LITERAL-, or IMAP4rev2 capabilities. Raw data arguments in net-imap are intended for expert use - they are sent verbatim after a validation pass - but that validation does not check whether the target server supports non-synchronizing literals. When a server without this support receives the {n+}\r\n sequence, it may treat the literal marker as an unknown malformed command terminator (responding with tagged BAD), causing the literal's contents to be interpreted as one or more new pipelined IMAP commands. This is a classic CRLF injection (CWE-77: Improper Neutralization of Special Elements used in a Command). The affected method arguments are: criteria for #search and #uid_search, search_keys for #sort, #thread, #uid_sort, and #uid_thread, and attr for #fetch and #uid_fetch. Prior to v0.6.4/v0.5.14/v0.4.24, these arguments were not validated at all (see related CVE-2026-42257, GHSA-hm49-wcqc-g2xg).

RemediationAI

Upgrade net-imap to v0.6.4.1 (for the 0.6.x branch) or v0.5.15 (for the 0.5.x branch). These patched versions add server capability verification - checking for LITERAL+, LITERAL-, or IMAP4rev2 in the server's advertised capabilities - before sending non-synchronizing literals in raw data arguments. Release details are at https://github.com/ruby/net-imap/releases/tag/v0.6.4.1 and advisory at https://github.com/ruby/net-imap/security/advisories/GHSA-8p34-64r3-mwg8. If upgrading is not immediately possible, three compensating controls are available with different trade-offs: (1) Validate all user-controlled inputs before passing to affected methods (#search, #uid_search, #sort, #thread, #uid_sort, #uid_thread, #fetch, #uid_fetch), stripping or rejecting strings containing CR (\r) or LF (\n) bytes - targeted but requires correct developer implementation at every call site. (2) Unconditionally prohibit all embedded literals by rejecting any input containing \r or \n; this is simpler and more conservative but may block legitimate complex search criteria using IMAP literal syntax. (3) Verify that the IMAP server advertises LITERAL+, LITERAL-, or IMAP4rev2 capabilities before accepting untrusted string inputs for these arguments - effective, but requires capability-inspection logic to be added to the application layer.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 16.0 Affected
SUSE Linux Enterprise High Availability Extension 16.1 Affected

Share

EUVD-2026-38352 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy