CVE-2026-42257: net-imap vulnerable to command Injection via "raw" arguments to multiple commands
Several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands.
References
- github.com/advisories/GHSA-hm49-wcqc-g2xg
- github.com/ruby/net-imap
- github.com/ruby/net-imap/commit/0ec4fd351263e8b9a4f683713427827b7b1ad974
- github.com/ruby/net-imap/commit/47c72186d272441878ca73c9499f66013829ca2f
- github.com/ruby/net-imap/commit/6bf02aef7e0b5931010c36e377f79a71636b306b
- github.com/ruby/net-imap/commit/a4f7649c3da77dec7631f03a037a478eb4330048
- github.com/ruby/net-imap/commit/aec06996eb87a7e1bbcef1f9f8926e8add2b8c71
- github.com/ruby/net-imap/releases/tag/v0.4.24
- github.com/ruby/net-imap/releases/tag/v0.5.14
- github.com/ruby/net-imap/releases/tag/v0.6.4
- github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg
- nvd.nist.gov/vuln/detail/CVE-2026-42257
Code Behaviors & Features
Detect and mitigate CVE-2026-42257 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →