Bug 2362749 (CVE-2025-43857) - CVE-2025-43857 net-imap: net-imap rubygem vulnerable to possible DoS by memory exhaustion
Summary: CVE-2025-43857 net-imap: net-imap rubygem vulnerable to possible DoS by memor...
Keywords:
Status: NEW
Alias: CVE-2025-43857
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2362835 2362836 2362833
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-04-28 17:01 UTC by OSIDB Bzimport
Modified: 2025-04-29 12:32 UTC (History)
16 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github ruby/net-imap/security/advisories/GHSA-j3g3-5qv5-52mj 0 None None None 2025-04-29 11:00:43 UTC

Description OSIDB Bzimport 2025-04-28 17:01:16 UTC 
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5, there is a possibility for denial of service by memory exhaustion when net-imap reads server responses. At any time while the client is connected, a malicious server can send can send a "literal" byte count, which is automatically read by the client's receiver thread. The response reader immediately allocates memory for the number of bytes indicated by the server response. This should not be an issue when securely connecting to trusted IMAP servers that are well-behaved. It can affect insecure connections and buggy, untrusted, or compromised servers (for example, connecting to a user supplied hostname). This issue has been patched in versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5.
Note You need to log in before you can comment on or make changes to this bug.