CVE-2025-25186

MEDIUM EPSS 43.3%
Published Feb 10, 20251y ago · Modified Jun 17, 20262w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Feb 10, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time while the client is connected, a malicious server can send can send highly compressed `uid-set` data which is automatically read by the client's receiver thread. The response parser uses `Range#to_a` to convert the `uid-set` data into arrays of integers, with no limitation on the expanded size of the ranges. Versions 0.3.8, 0.4.19, 0.5.6, and higher fix this issue. Additional details for proper configuration of fixed versions and backward compatibility are available in the GitHub Security Advisory.

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
43.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 6

CWE-1287
CWE-400 Uncontrolled Resource Consumption Resource Mgmt
CWE-405
CWE-409
CWE-770
CWE-789

References 4

  • github.com https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35
  • github.com https://github.com/ruby/net-imap/commit/c8c5a643739d2669f0c9a6bb9770d0c045fd74a3
  • github.com https://github.com/ruby/net-imap/commit/cb92191b1ddce2d978d01b56a0883b6ecf0b1022
  • github.com https://github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.