CVE-2026-42257

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Net::IMAP versions prior to 0.4.24 Net::IMAP versions prior to 0.5.14 Net::IMAP versions prior to 0.6.4

Description Several commands in the Net::IMAP Ruby library accept raw string arguments that are sent to the server without validation or escaping. If these strings are derived from user-controlled input, they may contain CRLF (Carriage Return Line Feed) sequences, allowing an attacker to inject arbitrary IMAP commands. This occurs because specific arguments are transformed into Net::IMAP::RawData, bypassing normal encoding.

Technical details regarding affected functions and parameters:

uid search() and search(): the criteria parameter is sent raw when it is a string.
uid fetch() and fetch(): the attr parameter is sent raw when it is a string or an array of strings.
uid store() and store(): the attr parameter is sent raw when it is a string.
setquota(): the limit parameter is interpolated and sent raw.

Recommendations Update to version 0.4.24, 0.5.14, or 0.6.4 depending on the version branch used. As a temporary workaround, validate string inputs for search criteria and fetch attributes by checking for r and characters. Restrict user-controlled inputs for the attr parameter in store commands to a small enumerated list or use hard-coded values. Use Kernel#Integer to coerce and validate user-controlled inputs for the limit parameter in the setquota() function. Prefer sending search criteria as an array of key-value pairs instead of an interpolated string.

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-93CWE-77

Related Identifiers

CVE-2026-42257

GHSA-HM49-WCQC-G2XG

Affected Products

Net::Imap

CVE-2026-42257

Weakness Enumeration

Related Identifiers

Affected Products

References · 25