#VU112026 Asymmetric Resource Consumption (Amplification) in net-imap - CVE-2025-25186

Cybersecurity Help s.r.o.

Published: 2025-06-27

Vulnerability identifier: #VU112026

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-25186

CWE-ID: CWE-405

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
net-imap
Universal components / Libraries / Libraries used by multiple products

Vendor: Ruby

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in `net-imap`'s response parser. At any time while the client is connected, a malicious server can send can send highly compressed `uid-set` data which is automatically read by the client's receiver thread. The response parser uses `Range#to_a` to convert the `uid-set` data into arrays of integers, with no limitation on the expanded size of the ranges. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

net-imap: 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.4.1, 0.3.5, 0.3.6, 0.3.7, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.4.9.1, 0.4.10, 0.4.11, 0.4.12, 0.4.13, 0.4.14, 0.4.15, 0.4.16, 0.4.17, 0.4.18, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5

External links
https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35
https://github.com/ruby/net-imap/commit/c8c5a643739d2669f0c9a6bb9770d0c045fd74a3
https://github.com/ruby/net-imap/commit/cb92191b1ddce2d978d01b56a0883b6ecf0b1022
https://github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat Enterprise Linux 8 update for the ruby:3.3 module

Multiple vulnerabilities in IBM Cloud Pak for AIOps

Red Hat Enterprise Linux 10 update for ruby

Multiple vulnerabilities in OpenShift Logging 5.9

openEuler 24.03 LTS update for ruby

openEuler 24.03 LTS SP1 update for ruby

Fedora 40 update for ruby

Fedora 41 update for ruby

Asymmetric Resource Consumption (Amplification) in ruby net-imap