CVE-2025-43857

Name of the Vulnerable Software and Affected Versions Net::IMAP versions prior to 0.5.7, 0.4.20, 0.3.9, and 0.2.5

Description The issue allows for denial of service by memory exhaustion when Net::IMAP reads server responses. A malicious server can send a "literal" byte count, which is automatically read by the client's receiver thread, causing the response reader to allocate memory for the number of bytes indicated by the server response. This can affect insecure connections and buggy, untrusted, or compromised servers.

Recommendations For versions prior to 0.5.7, update to version 0.5.7 or later. For versions prior to 0.4.20, update to version 0.4.20 or later. For versions prior to 0.3.9, update to version 0.3.9 or later. For versions prior to 0.2.5, update to version 0.2.5 or later. As a temporary workaround, consider restricting connections to trusted IMAP servers to minimize the risk of exploitation.