CVE-2025-25186: Possible DoS by memory exhaustion in net-imap
(updated )
There is a possibility for denial of service by memory exhaustion in net-imap’s response parser. At any time while the client is connected, a malicious server can send can send highly compressed uid-set data which is automatically read by the client’s receiver thread. The response parser uses Range#to_a to convert the uid-set data into arrays of integers, with no limitation on the expanded size of the ranges.
References
- github.com/advisories/GHSA-7fc5-f82f-cx69
- github.com/ruby/net-imap
- github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35
- github.com/ruby/net-imap/commit/c8c5a643739d2669f0c9a6bb9770d0c045fd74a3
- github.com/ruby/net-imap/commit/cb92191b1ddce2d978d01b56a0883b6ecf0b1022
- github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69
- github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2025-25186.yml
- nvd.nist.gov/vuln/detail/CVE-2025-25186
- ruby.github.io/net-imap/Net/IMAP/AppendUIDData.html
- ruby.github.io/net-imap/Net/IMAP/CopyUIDData.html
- ruby.github.io/net-imap/Net/IMAP/UIDPlusData.html
Code Behaviors & Features
Detect and mitigate CVE-2025-25186 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →