Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.8
CVE-2026-42257: Net-IMAP vulnerable to command injection via raw arguments
GHSA-hm49-wcqc-g2xg
CVE-2026-42257
GHSA-hm49-wcqc-g2xg
Summary
The Net-IMAP library in certain situations sends user-controlled input directly to the server without checking for malicious code. This allows an attacker to inject and execute arbitrary commands. Affected applications should update to a secure version of the library or ensure that user input is properly sanitized before sending it to the server.
What to do
- Update shugo maeda net-imap to version 0.6.4.
- Update shugo maeda net-imap to version 0.5.14.
- Update shugo maeda net-imap to version 0.4.24.
- Update net-imap to version 0.6.4.
- Update net-imap to version 0.5.14.
- Update net-imap to version 0.4.24.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| rubygems | shugo maeda | net-imap |
>= 0.6.0, <= 0.6.3 >= 0.5.0, <= 0.5.13 <= 0.4.23 Fix: upgrade to 0.6.4
|
| RubyGems | – | net-imap |
>= 0.6.0, < 0.6.4 >= 0.5.0, < 0.5.14 < 0.4.24 Fix: upgrade to 0.6.4
|
| rubygems | – | net-imap |
>= 0.6.0, <= 0.6.3 >= 0.5.0, <= 0.5.13 <= 0.4.23 Fix: upgrade to 0.6.4
|
| – | ruby-lang | net\ |
\ cpe:2.3:a:ruby-lang:net\:\:imap:*:*:*:*:*:ruby:*:* |
Original title
net-imap vulnerable to command Injection via "raw" arguments to multiple commands
Original description
### Summary
Several `Net::IMAP` commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain `CRLF` sequences, which an attacker can use to inject arbitrary IMAP commands.
### Details
`Net::IMAP`'s generic argument handling, used by most command arguments, interprets string arguments as an IMAP `astring`. Depending on the string contents and the connection's UTF-8 support, this encodes strings as either a `atom`, `quoted`, or `literal`. These are safe from command or argument injection.
But the following commands transform specific String arguments to `Net::IMAP::RawData`, which bypasses normal argument validation and encoding and prints the string directly to the socket:
* `#uid_search`, `#search`
* when `criteria` is a String, it is sent raw
* `#uid_fetch`, `#fetch`
* when `attr` is a String, it is sent raw
* when `attr` is an Array, each String in `attr` is sent raw
* `#uid_store`, `#store`
* when `attr` is a String, it is sent raw
* `#setquota`:
* `limit` is interpolated with `#to_s` and that string is sent raw
Because these string arguments are sent without any neutralization, they serve as a direct vector for command splitting. Any user controlled data interpolated into these strings can be used to break out of the intended command context.
Using "raw data" arguments for `#uid_store`, `#store`, and `#setquota` I both inappropriate and unnecessary. `Net::IMAP`'s generic argument handling is sufficient to safely validate and encode their arguments. Users of the library probably do not expect arguments to these commands to be sent raw and might not be wary of passing unvalidated input.
The API for search criteria and fetch attributes is intentionally low-level and "close to the wire". It allows developers to use some IMAP extensions without requiring explicit support from the library and allows developers to use complex IMAP grammar without complex argument translation. Even so, basic validation is appropriate and could neutralize command injection.
Although this was explicitly documented for search `criteria`, it was insufficiently documented for fetch `attr`. So developers may not have realized that the `attr` argument to `#fetch` and `#uid_fetch` is sent as "raw data".
### Impact
If a developer passes an unvalidated user-controlled input for one of these method arguments, an attacker can append CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not _directly_ enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system's attributes, e.g.: shared mail folders or the application's installed response handlers.
The SEARCH, STORE, and FETCH commands, and their UID variants are some of the most commonly used features of the library. Applications that build search queries or fetch attributes dynamically based on user input (e.g., mail clients or archival tools) may be at significant risk.
Expected use of `Net::IMAP#setquota` is much more limited: `SETQUOTA` is often only usable by users with special administrative privileges. Depending on the server, quota administration might be managed through server configuration rather than via the IMAP protocol `SETQUOTA` command. It is expected to be uncommonly used in system administration scripts or in interactive sessions, it should be completely controlled by trusted users, and should only use trusted inputs. Calling `#setquota` with untrusted user input is expected to be a very uncommon use case. Please note however this might be combined with other attacks, for example CSRF, which provide unauthorized access to trusted inputs, and may specifically target users or scripts with administrator privileges.
### Mitigation
- Update to a patched version of `net-imap` which:
- validates that `Net::IMAP::RawData` is composed of well-formed IMAP `text`, `literal`, and `literal8` values, with no unescaped `NULL`, `CR`, or `LF` bytes.
- does not use `Net::IMAP::RawData` for `#store`, `#uid_store`, or `#setquota`.
- Prefer to send search criteria as an array of key value pairs. Avoid sending it as an interpolated string.
- If an immediate upgrade is not possible:
- String inputs to search criteria and fetch attributes can be validated against command injection by checking for `\r` and `\n` characters.
- Hard-coding the store `attr` argument is often appropriate. Alternatively, user controlled inputs can be restricted to a small enumerated list which is valid for the calling application.
- Use `Kernel#Integer` to coerce and validate user controlled inputs to `#setquota` limit.
Several `Net::IMAP` commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain `CRLF` sequences, which an attacker can use to inject arbitrary IMAP commands.
### Details
`Net::IMAP`'s generic argument handling, used by most command arguments, interprets string arguments as an IMAP `astring`. Depending on the string contents and the connection's UTF-8 support, this encodes strings as either a `atom`, `quoted`, or `literal`. These are safe from command or argument injection.
But the following commands transform specific String arguments to `Net::IMAP::RawData`, which bypasses normal argument validation and encoding and prints the string directly to the socket:
* `#uid_search`, `#search`
* when `criteria` is a String, it is sent raw
* `#uid_fetch`, `#fetch`
* when `attr` is a String, it is sent raw
* when `attr` is an Array, each String in `attr` is sent raw
* `#uid_store`, `#store`
* when `attr` is a String, it is sent raw
* `#setquota`:
* `limit` is interpolated with `#to_s` and that string is sent raw
Because these string arguments are sent without any neutralization, they serve as a direct vector for command splitting. Any user controlled data interpolated into these strings can be used to break out of the intended command context.
Using "raw data" arguments for `#uid_store`, `#store`, and `#setquota` I both inappropriate and unnecessary. `Net::IMAP`'s generic argument handling is sufficient to safely validate and encode their arguments. Users of the library probably do not expect arguments to these commands to be sent raw and might not be wary of passing unvalidated input.
The API for search criteria and fetch attributes is intentionally low-level and "close to the wire". It allows developers to use some IMAP extensions without requiring explicit support from the library and allows developers to use complex IMAP grammar without complex argument translation. Even so, basic validation is appropriate and could neutralize command injection.
Although this was explicitly documented for search `criteria`, it was insufficiently documented for fetch `attr`. So developers may not have realized that the `attr` argument to `#fetch` and `#uid_fetch` is sent as "raw data".
### Impact
If a developer passes an unvalidated user-controlled input for one of these method arguments, an attacker can append CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not _directly_ enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system's attributes, e.g.: shared mail folders or the application's installed response handlers.
The SEARCH, STORE, and FETCH commands, and their UID variants are some of the most commonly used features of the library. Applications that build search queries or fetch attributes dynamically based on user input (e.g., mail clients or archival tools) may be at significant risk.
Expected use of `Net::IMAP#setquota` is much more limited: `SETQUOTA` is often only usable by users with special administrative privileges. Depending on the server, quota administration might be managed through server configuration rather than via the IMAP protocol `SETQUOTA` command. It is expected to be uncommonly used in system administration scripts or in interactive sessions, it should be completely controlled by trusted users, and should only use trusted inputs. Calling `#setquota` with untrusted user input is expected to be a very uncommon use case. Please note however this might be combined with other attacks, for example CSRF, which provide unauthorized access to trusted inputs, and may specifically target users or scripts with administrator privileges.
### Mitigation
- Update to a patched version of `net-imap` which:
- validates that `Net::IMAP::RawData` is composed of well-formed IMAP `text`, `literal`, and `literal8` values, with no unescaped `NULL`, `CR`, or `LF` bytes.
- does not use `Net::IMAP::RawData` for `#store`, `#uid_store`, or `#setquota`.
- Prefer to send search criteria as an array of key value pairs. Avoid sending it as an interpolated string.
- If an immediate upgrade is not possible:
- String inputs to search criteria and fetch attributes can be validated against command injection by checking for `\r` and `\n` characters.
- Hard-coding the store `attr` argument is often appropriate. Alternatively, user controlled inputs can be restricted to a small enumerated list which is valid for the calling application.
- Use `Kernel#Integer` to coerce and validate user controlled inputs to `#setquota` limit.
ghsa CVSS4.0
5.8
Vulnerability type
CWE-77
Command Injection
CWE-93
- https://nvd.nist.gov/vuln/detail/CVE-2026-42257
- https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg
- https://github.com/ruby/net-imap/commit/0ec4fd351263e8b9a4f683713427827b7b1ad974
- https://github.com/ruby/net-imap/commit/47c72186d272441878ca73c9499f66013829ca2f
- https://github.com/ruby/net-imap/commit/6bf02aef7e0b5931010c36e377f79a71636b306b
- https://github.com/ruby/net-imap/commit/a4f7649c3da77dec7631f03a037a478eb4330048
- https://github.com/ruby/net-imap/commit/aec06996eb87a7e1bbcef1f9f8926e8add2b8c71
- https://github.com/ruby/net-imap/releases/tag/v0.4.24
- https://github.com/ruby/net-imap/releases/tag/v0.5.14
- https://github.com/ruby/net-imap/releases/tag/v0.6.4
- https://github.com/advisories/GHSA-hm49-wcqc-g2xg
- https://github.com/ruby/net-imap Product
Published: 4 May 2026 · Updated: 23 May 2026 · First seen: 4 May 2026