CVE-2025-25186

Name of the Vulnerable Software and Affected Versions Net::IMAP versions 0.3.2 through 0.3.7 Net::IMAP versions 0.4.0 through 0.4.18 Net::IMAP versions 0.5.0 through 0.5.5

Description There is a possibility for denial of service by memory exhaustion in net-imap's response parser. At any time while the client is connected, a malicious server can send highly compressed uid-set data which is automatically read by the client's receiver thread. The response parser uses Range#to a to convert the uid-set data into arrays of integers, with no limitation on the expanded size of the ranges.

Recommendations For Net::IMAP versions 0.3.2 through 0.3.7, upgrade to version 0.3.8 or higher and configure config.parser max deprecated uidplus data size to set the maximum UIDPlusData UID set size. For Net::IMAP versions 0.4.0 through 0.4.18, upgrade to version 0.4.19 or higher and configure config.parser use deprecated uidplus data to false. For Net::IMAP versions 0.5.0 through 0.5.5, upgrade to version 0.5.6 or higher and configure config.parser use deprecated uidplus data to :up to max size. As a temporary workaround, consider disabling the Net::IMAP::ResponseParser function until a patch is available. Restrict access to the vulnerable net-imap module to minimize the risk of exploitation. Avoid using the uid-set parameter in the affected API endpoint until the issue is resolved.