Update dependency net-imap to v0.6.4.1 [SECURITY]#1507
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
|
coverage: 98.232%. remained the same — renovate/rubygems-net-imap-vulnerability into main |
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/rubygems-net-imap-vulnerability
branch
from
cbe13ee to
c6b59ea
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.6.3→0.6.4.1net-imap vulnerable to STARTTLS stripping via invalid response timing
CVE-2026-42246 / GHSA-vcgp-9326-pqcp
More information
Details
Summary
A man-in-the-middle attacker can cause
Net::IMAP#starttlsto return "successfully", without starting TLS.Details
When using
Net::IMAP#starttlsto upgrade a plaintext connection to use TLS, a man-in-the-middle attacker can inject a taggedOKresponse with an easily predictable tag. By sending the response before the client finishes sending the command, the command completes "successfully" before the response handler is registered. This allows#starttlsto return without error, but the response handler is never invoked, the TLS connection is never established, and the socket remains unencrypted.This allows man-in-the-middle attackers to perform a STARTTLS stripping attack, unless the client code explicitly checks
Net::IMAP#tls_verified?.Impact
TLS bypass, leading to cleartext transmission of sensitive information.
Mitigation
#starttlsdoes not establish TLS.STARTTLSwith a cleartext port.This is strongly recommended anyway:
Net::IMAP#tls_verified?istrue, before using the connection after#starttls.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
net-imap has quadratic complexity when reading response literals
CVE-2026-42245 / GHSA-q2mw-fvj9-vvcw
More information
Details
Summary
Net::IMAP::ResponseReaderhas quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack.Details
For each literal in a response,
ResponseReaderrescans the entire growing response buffer. The regular expression that is used to scan the response buffer runs in linear time. With many literals, this becomes O(n²) total work. The regular expression should run in constant time: it is anchored to the end and only the last 23 bytes of the buffer are relevant.Because the algorithmic complexity is super-linear, this bypasses protection from
max_response_size: a response can stay well below the default size limit while still causing very large CPU cost.Net::IMAP::ResponseReaderruns continuously in the receiver thread until the connection closes.Impact
This consumes disproportionate CPU time in the client's receiver thread. A hostile server could use this to exhaust the client's CPU for a denial of service attack.
For a response near the default
max_response_size, each individual regexp scan could take between 100 to 200ms on common modern hardware, and this may be repeated 200k times per megabyte of response. While the regexp is scanning, it retains the Global VM lock, preventing other threads from running.Although other threads should not be completely blocked, their run time will be significantly impacted.
Mitigation
max_response_size(for example: 8KiB) will limit the impact. Although this is too small for fetching unpaginated message bodies, it should be enough for most other operations.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
net-imap vulnerable to denial of service via high iteration count for
SCRAM-*authenticationCVE-2026-42256 / GHSA-87pf-fpwv-p7m7
More information
Details
Summary
When authenticating a connection with
SCRAM-SHA1orSCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value.Details
A hostile IMAP server can send an arbitrarily large PBKDF2 iteration count in the SCRAM server-first-message, causing the client to perform an expensive
OpenSSL::KDF.pbkdf2_hmaccall. Because the PBKDF2 function is a blocking C extension and holds onto Ruby’s Global VM Lock, it can freeze the entire Ruby VM for the duration of the computation.OpenSSL enforces an effective maximum by using a 32-bit signed integer for the iteration count, Depending on hardware capabilities and OpenSSL version, this iteration count may be sufficient for to block all Ruby threads in the process for over seven minutes.
This is listed as one of the "Security Considerations", in RFC 7804:
Impact
During SCRAM authentication to a hostile server, the entire Ruby VM will be locked for the duration of the computation. Depending on hardware capabilities and OpenSSL version, this may take many minutes.
OpenSSL::KDF.pbkdf2_hmacis a blocking C function, soTimeoutcannot be used to guard against this. And it retains the Global VM lock, so other ruby threads will also be unable to run.Mitigation
Upgrade to a patched version of
net-imapthat adds themax_iterationsoption to theSASL-*authenticators, and callNet::IMAP#authenticatewith amax_iterationskeyword argument.NOTE: The default
max_iterationsis2³¹ - 1, the maximum signed 32 bit integer, the maximum allowed by OpenSSL.To prevent a denial of service attack, this must be set to a safe value, depending on hardware and version of OpenSSL.
It is the user's responsibility to enforce minimum and maximum iteration counts that are appropriate for their security context.
Alternatively, avoid
SCRAM-*mechanisms when authenticating to untrusted servers.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
net-imap vulnerable to command Injection via unvalidated Symbol inputs
CVE-2026-42258 / GHSA-75xq-5h9v-w6px
More information
Details
Summary
Symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands.
Details
Symbol arguments represent IMAP "system flags", which are formatted as "atoms" (with no quoting) with a
"\"prefix. Vulnerable versions of Net::IMAP sends the symbol name directly to the socket, with no validation.Because the Symbol input is unvalidated, it could contain invalid
flagcharacters, includingSPandCRLF, which could be used to finish the current command and inject new commands.Although IMAP
flagarguments are only valid input for a few IMAP commands, most Net::IMAP commands use generic argument handling, and will allow Symbol (flag) inputs.Note also that the list of valid symbol inputs should be restricted to an enumerated set of standard RFC defined flag types, which have each been given specific defined semantics. Any user-provided values outside of that list of standard "system flags" needs to use the IMAP
keywordsyntax, which are sent as atoms, i.e: string inputs. Under no circumstances should#to_symever be called on unvetted user-provided input: that will always be a bug in the calling code for the simple reason thatuser_input_atomis as\user_input_atom.For forward compatibility with future IMAP extentions, Net::IMAP, does not restrict flag inputs to an enumerated list. That is the responsibility of the calling application code, which knows which flag semantics are valid for its context.
Impact
If a developer passes user-controlled input as a Symbol to most Net::IMAP commands, an attacker can append CRLF sequence followed by a new IMAP command (like
DELETE mailbox).Mitigation
Upgrade to a version of Net::IMAP that validates Symbols are valid as an IMAP
flag.User-provided input should never be able to control calling
#to_symon string arguments.For example, do not unsafely serialize and deserialize command arguments (e.g. with YAML or Marshal) in a way that could create unvetted Symbol arguments.
For the few IMAP commands which do allow
flagarguments, it may be appropriate to hard-code Symbol arguments or restrict them to an enumerated list which is valid for the calling application.Severity
CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
net-imap vulnerable to command Injection via "raw" arguments to multiple commands
CVE-2026-42257 / GHSA-hm49-wcqc-g2xg
More information
Details
Summary
Several
Net::IMAPcommands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain containCRLFsequences, which an attacker can use to inject arbitrary IMAP commands.Details
Net::IMAP's generic argument handling, used by most command arguments, interprets string arguments as an IMAPastring. Depending on the string contents and the connection's UTF-8 support, this encodes strings as either aatom,quoted, orliteral. These are safe from command or argument injection.But the following commands transform specific String arguments to
Net::IMAP::RawData, which bypasses normal argument validation and encoding and prints the string directly to the socket:#uid_search,#searchcriteriais a String, it is sent raw#uid_fetch,#fetchattris a String, it is sent rawattris an Array, each String inattris sent raw#uid_store,#storeattris a String, it is sent raw#setquota:limitis interpolated with#to_sand that string is sent rawBecause these string arguments are sent without any neutralization, they serve as a direct vector for command splitting. Any user controlled data interpolated into these strings can be used to break out of the intended command context.
Using "raw data" arguments for
#uid_store,#store, and#setquotaI both inappropriate and unnecessary.Net::IMAP's generic argument handling is sufficient to safely validate and encode their arguments. Users of the library probably do not expect arguments to these commands to be sent raw and might not be wary of passing unvalidated input.The API for search criteria and fetch attributes is intentionally low-level and "close to the wire". It allows developers to use some IMAP extensions without requiring explicit support from the library and allows developers to use complex IMAP grammar without complex argument translation. Even so, basic validation is appropriate and could neutralize command injection.
Although this was explicitly documented for search
criteria, it was insufficiently documented for fetchattr. So developers may not have realized that theattrargument to#fetchand#uid_fetchis sent as "raw data".Impact
If a developer passes an unvalidated user-controlled input for one of these method arguments, an attacker can append CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not directly enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system's attributes, e.g.: shared mail folders or the application's installed response handlers.
The SEARCH, STORE, and FETCH commands, and their UID variants are some of the most commonly used features of the library. Applications that build search queries or fetch attributes dynamically based on user input (e.g., mail clients or archival tools) may be at significant risk.
Expected use of
Net::IMAP#setquotais much more limited:SETQUOTAis often only usable by users with special administrative privileges. Depending on the server, quota administration might be managed through server configuration rather than via the IMAP protocolSETQUOTAcommand. It is expected to be uncommonly used in system administration scripts or in interactive sessions, it should be completely controlled by trusted users, and should only use trusted inputs. Calling#setquotawith untrusted user input is expected to be a very uncommon use case. Please note however this might be combined with other attacks, for example CSRF, which provide unauthorized access to trusted inputs, and may specifically target users or scripts with administrator privileges.Mitigation
net-imapwhich:Net::IMAP::RawDatais composed of well-formed IMAPtext,literal, andliteral8values, with no unescapedNULL,CR, orLFbytes.Net::IMAP::RawDatafor#store,#uid_store, or#setquota.\rand\ncharacters.attrargument is often appropriate. Alternatively, user controlled inputs can be restricted to a small enumerated list which is valid for the calling application.Kernel#Integerto coerce and validate user controlled inputs to#setquotalimit.Severity
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Net::IMAP: Denial of Service via incomplete raw argument validation
CVE-2026-47241 / GHSA-c4fp-cxrr-mj66
More information
Details
Summary
Several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed.
Details
Net::IMAP::RawDatawas hardened in v0.6.4, v0.5.14, and v0.4.24 to reject string arguments that would smuggle an invalid literal-continuation marker onto the wire (CVE-2026-42257, GHSA-hm49-wcqc-g2xg). But the trailing-marker check uses an incorrect regex which does not match{0}or{0+}, so an attacker-controlled seachcriteriaor fetchattrstring ending in{0}or{0+}passes validation and is sent verbatim. Since these arguments are sent as the last argument in the command, they will be followed by CRLF. Although the CRLF was intended to end the command, the server will interpret it as part of a literal prefix. This consumes the next command the client puts on the socket as additional arguments to the current command.This affects the following command's arguments:
criteriafor#searchand#uid_searchsearch_keysfor#sort,#thread,#uid_sort, and#uid_threadattrfor#fetchand#uid_fetchThe command which contained the attacker's raw data will not be able to complete until the next command is issued. If commands are only sent from single thread, the first command will hang until the connection times out (most likely by the server closing the connection).
If a second command is sent (from another thread), this would allow the server to respond to the first command. This combined command will be invalid:
{0}\r\nliteral prohibits other arguments (such as a quoted string) from spanning both commandsSo the server should respond to the first command with a
BADresponse, which will raise aBadResponseError.But, since the server never saw a second command, the second command will never receive a tagged response and the thread that sent it will hang until the connection is closed.
Impact
This will result in unexpected crashes and timeouts, which could be used to create a simple denial of service attack. This attack will present very similarly to common network issues or server issues which also result in commands hanging or unexpectedly raising exceptions. By itself, this does not allow command injection. But the confusion caused by these errors could lead to other downstream issues, especially in a multi-threaded environment.
Mitigation
Update to a patched version of
net-imapwhich validates thatRawDataarguments may not end with literal continuation markers.If
net-imapcannot be upgraded:"}".Timeoutor other standard strategies for slow connections and misbehaving servers will also mitigate the effects of this.Extra caution is required when issuing commands from multiple threads. While
net-imapdoes have rudimentary support for issuing commands from multiple threads, the user is responsible for synchronizing that commands are issued in a logically coherent order, and for ensuring that commands are only pipelined when it is safe to do so. Practically, this means that many commands cannot be safely pipelined together, and user code will often need to wait for state changing commands to successfully complete before issuing commands that rely on that state change.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument
CVE-2026-47240 / GHSA-8p34-64r3-mwg8
More information
Details
Several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals.
Details
Raw data arguments support embedded literal values, both synchronizing and non-synchronizing. Non-synchronizing literals can only be safely sent when the server advertises any of the
LITERAL+,LITERAL-, orIMAP4rev2capabilities. But raw data arguments do not verify server support for non-synchronizing literals prior to sending.Servers without support for non-synchronizing literals could handle them in several different ways: If a server sees a
"}\r\n"byte sequence but can't parse the literal bytesize, it may cautiously decide to close the connection, blocking any command injection attacks. However, a server without support for non-synchronizing literals may instead interpret the"+}\r\n"as the end of a malformed command line and respond with a taggedBAD. In that case, the contents of the literal will be interpreted as one or more new pipelined commands, allowing a CRLF command injection attack to succeed.This affects the following commands' string arguments:
criteriafor#searchand#uid_searchsearch_keysfor#sort,#thread,#uid_sort, and#uid_threadattrfor#fetchand#uid_fetchPrior to
net-imapv0.6.4, v0.5.14, and v0.4.24, raw data arguments were not validated in any way, so they were also vulnerable to this attack. See CVE-2026-42257 (GHSA-hm49-wcqc-g2xg).Impact
Fortunately,
LITERAL-is supported by most modern IMAP servers. Even without support for non-synchronizing literals, cautious servers may handle invalid literal bytesize by closing the connection . However, servers which handle a non-synchronizing literal just like any other malformed command will enable this vulnerability.If a developer passes an unvalidated user-controlled input for one of these method arguments, an attacker can append CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not directly enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system's attributes, e.g.: shared mail folders or the application's installed response handlers.
Mitigation
Update to a version of
net-imapwhich validates server support for non-synchronizing literals before sending them.If upgrading
net-imapis not possible:LITERAL+,LITERAL-, orIMAP4rev2capabilities before using untrusted string inputs for the affected "raw data" arguments.Severity
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Net::IMAP: Command Injection via ID command argument
CVE-2026-47242 / GHSA-46q3-7gv7-qmgg
More information
Details
Summary
Two
Net::IMAPcommands,#idand#enable, do not validate their arguments. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands.Please note that passing untrusted inputs to these commands is usually inappropriate and expected to be uncommon.
Details
When
Net::IMAP#idis called with a hash argument, although the ID field value strings are correctly quoted (escaping quoted specials), they were not validated to prohibit CRLF sequences.While
Net::IMAP#enabledoes process its arguments for aliases, it does not validate them as valid atoms (or as a list of valid atoms). The#to_svalue is sent verbatim.Impact
This is expected to impact very few users: use of untrusted user input for either command is expected to be very uncommon.
The documentation for
#enableexplicitly warns that using any arguments that are not in the explicitly supported list may result in undocumented behavior. Using arbitrary untrusted user input for#enablewill always be inappropriate.Although client ID field values will most commonly be static and hardcoded, dynamic input sources may be used. For example, client ID fields may be set by configuration or version numbers. Using untrusted user inputs for client ID fields is expected to be uncommon. But any untrusted inputs to client ID can trivially exploit this vulnerability.
Untrusted inputs to either command may include a CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not directly enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system's attributes, e.g.: shared mail folders or the application's installed response handlers.
Mitigation
Update to a version of
net-imapwhich validates#idand#enablearguments.Untrusted inputs should never be used for
#enablearguments.If
net-imapcannot be upgraded:Severity
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
ruby/net-imap (net-imap)
v0.6.4.1Compare Source
What's Changed
🔒 Security
This release fixes several more security vulnerabilities which are related to the fixes in
v0.6.4. Please see the linked security advisories for more information.This vulnerability depends how the server interprets non-synchronizing literals.
The connection is not vulnerable if the server supports non-synchronizing literals.
IDvalues contain only valid bytes by @nevans in #698#enablearguments are all atoms by @nevans in #699NOTE:
#enableshould never be called with untrusted input.This results in the affected command hanging until the connection is closed. If another thread attempts to send a concurrent pipelined command, the first thread will return with a syntax error and the second thread will hang until the connection closes.
{0}in RawData validation by @nevans in #700Added
Net::IMAP#inspectTLS info by @nevans in #674Fixed
config.max_non_synchronizing_literal = nilby @nevans in #672#disconnectby @nevans in #686Documentation
Other Changes
RawData.new, AddRawData.splitby @nevans in #679Miscellaneous
Full Changelog: ruby/net-imap@v0.6.4...v0.6.4.1
v0.6.4Compare Source
What's Changed
🔒 Security
This release contains fixes for multiple vulnerabilities concerning
STARTTLSstripping, argument validation, and denial of service attacks.Breaking Changes
ResponseReadermemoizesConfig#max_response_sizein #642.Changes to
#max_response_sizenow take effect once per response, not on everyIO#read.NOTE: It is not expected that this will affect any current usage. See the PR for details.
Added
BINARYextention to#append(RFC3516) by @nevans in #616LITERAL+andLITERAL-non-synchronizing literals (RFC7888) by @nevans in #649ScramAuthenticator#max_iterationsby @nevans in #654number64andnz-number64to NumValidator by @nevans in #625MailboxQuota#quota_rootalias by @nevans in #636Net::IMAP#inspectwith basic state by @nevans in #612ResponseParseError#parser_methods(and override#==) by @nevans in #615Fixed
attras anatomin #658#setquotastorage limit argument in #659SSLContext#setupinstead of#freezeby @idahomst in #627#get_tagged_responseby @nevans in #633SearchResult#to_sequence_setin #644, reported by @QuintasanDocumentation
.documentand.rdoc_optionsfiles, where possible by @nevans in #619Other Changes
Miscellaneous
#setquotaby @nevans in #636New Contributors
Full Changelog: ruby/net-imap@v0.6.3...v0.6.4
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.