The Digital Security Authority (DSA) wants to bring to your attention a vulnerability affecting ruby Net::IMAP.
Technical Details
A vulnerability, which was classified as problematic, was found in ruby net-imap up to 0.3.7/0.4.18/0.5.5. Affected is the function Net::IMAP. The manipulation with an unknown input leads to a resource consumption vulnerability. CWE is classifying the issue as CWE-400. The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. This is going to have an impact on availability.
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time while the client is connected, a malicious server can send highly compressed `uid-set` data which is automatically read by the client's receiver thread. The response parser uses `Range#to_a` to convert the `uid-set` data into arrays of integers, with no limitation on the expanded size of the ranges. Versions 0.3.8, 0.4.19, 0.5.6, and higher fix this issue.
Affected Products:
Programming Language Software – Ruby - function Net::IMA:
- Versions 0.3.0 up to 0.3.7
- Versions 0.4.0 up to 0.4.18
- Versions 0.5.0 up to 0.5.5
Recommendations
The Digital Security Authority recommends updating the affected product version by applying the fixed release as its showned below:
| Current Version | Updated Version |
| 0.3.0 up to 0.3.7 | 0.3.8 |
| 0.4.0 up to 0.4.18 | 0.4.19 |
| 0.5.0 up to 0.5.5 | 0.5.6 |
References
The information presented in this report is based on available data up to the 11th of February 2025.