CVE-2026-42258

Name of the Vulnerable Software and Affected Versions Net::IMAP versions prior to 0.4.24 Net::IMAP versions prior to 0.5.14 Net::IMAP versions prior to 0.6.4

Description Symbol arguments passed to IMAP commands are susceptible to CRLF Injection and IMAP Command injection. Symbol arguments represent IMAP system flags, which are formatted as atoms with a `` prefix. Vulnerable versions send the symbol name directly to the socket without validation, allowing the inclusion of invalid flag characters such as SP (space) and CRLF (carriage return line feed). This enables an attacker to terminate the current command and inject new, unauthorized IMAP commands, such as DELETE mailbox, if a developer passes user-controlled input as a Symbol to the affected commands.

Recommendations Update to version 0.4.24, 0.5.14, or 0.6.4 depending on the current major version branch. Avoid calling #to sym on unvetted user-provided input. Do not unsafely serialize and deserialize command arguments using methods like YAML or Marshal that could create unvetted Symbol arguments. Hard-code Symbol arguments or restrict them to a predefined enumerated list for IMAP commands that allow flag arguments.