CVE-2025-25186

Net::IMAP vulnerable to possible DoS by memory exhaustion

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time while the client is connected, a malicious server can send can send highly compressed `uid-set` data which is automatically read by the client's receiver thread. The response parser uses `Range#to_a` to convert the `uid-set` data into arrays of integers, with no limitation on the expanded size of the ranges. Versions 0.3.8, 0.4.19, 0.5.6, and higher fix this issue. Additional details for proper configuration of fixed versions and backward compatibility are available in the GitHub Security Advisory.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.08%
Affected: ruby net-imap
Published at:
Updated at:

References

Link Tags
https://github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69
https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35
https://github.com/ruby/net-imap/commit/c8c5a643739d2669f0c9a6bb9770d0c045fd74a3
https://github.com/ruby/net-imap/commit/cb92191b1ddce2d978d01b56a0883b6ecf0b1022

Frequently Asked Questions

What is the severity of CVE-2025-25186?
CVE-2025-25186 has been scored as a medium severity vulnerability.
How to fix CVE-2025-25186?
To fix CVE-2025-25186, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-25186 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-25186 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-25186?
CVE-2025-25186 affects ruby net-imap.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.