Vulnerability Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ruby-Lang | Net\ | < 0.4.24, \ |
Related Weaknesses (CWE)
References
- https://github.com/ruby/net-imap/releases/tag/v0.4.24Release Notes
- https://github.com/ruby/net-imap/releases/tag/v0.5.14Release Notes
- https://github.com/ruby/net-imap/releases/tag/v0.6.4Release Notes
- https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xgMitigationVendor Advisory
FAQ
What is CVE-2026-42257?
CVE-2026-42257 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is ...
How severe is CVE-2026-42257?
CVE-2026-42257 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-42257?
Check the references section above for vendor advisories and patch information. Affected products include: Ruby-Lang Net\.