CVE-2025-25186: Net::IMAP Vulnerability - Denial of Service by Memory Exhaustion in Ruby's Response Parser

Net::IMAP is an essential module in the Ruby programming language that provides an Internet Message Access Protocol (IMAP) client, allowing users to send, receive, and process email messages using the Ruby language. Recently, a vulnerability (CVE-2025-25186) has been discovered in the Net::IMAP module versions .3.2 to .3.7, .4. to .4.18, and .5. to .5.5, which can lead to denial of service (DoS) by memory exhaustion. This post aims to discuss the details of this vulnerability, including the code snippet that led to the issue, links to original references, and the steps to fix and/or exploit this problem.

Vulnerability Details

The vulnerability arises from the Net::IMAP module's response parser. While parsing server responses, the response parser utilizes a specific method Range#to_a to convert uid-set data into arrays of integers. However, this method has no limitations on the expanded size of the ranges, allowing a malicious server to exhaust memory resources on the client-side. If an attacker-controlled server sends a highly compressed uid-set data, the client's receiver thread will automatically read and process this data. Due to the lack of restrictions when expanding ranges, the system can experience memory exhaustion, leading to a denial of service.

The problematic code snippet appears in the file "net/imap.rb" and is shown below

    def parse_set(text)
      result = text.scan(/\d+|\d+:\d+/)
      if result.empty?
        raise ResponseParseError, "unexpected SET format: #{text.inspect}"
      end
      result.map! do |elem|
        if /:/ =~ elem
          start, stop = elem.split(":")
          Range.new(Integer(start), Integer(stop)).to_a
        else
          Integer(elem)
        end
      end
      result.flatten!
      result
    end

This function processes a given uid-set data as text, converting it into arrays of integers without any limitations on the expanded size of the ranges.

Links to Original References

1. Ruby's Official Announcement on Net::IMAP vulnerability: https://www.ruby-lang.org/en/news/2025/05/05/net-imap-dos-cve-2019-13186/
2. GitHub Security Advisory: https://github.com/ruby/net-imap/security/advisories/GHSA-596c-hqwq-ppv7

Fix and Configuration Details

To fix this issue, users are encouraged to update their Net::IMAP module to versions .3.8, .4.19, or .5.6 or higher, which include a patch for this vulnerability. These updated versions limit the expanded size of ranges, effectively preventing memory exhaustion.

For proper configuration of fixed versions and backward compatibility, please follow the recommendations in the GitHub Security Advisory linked above.

Conclusion

The vulnerability in the Net::IMAP module's response parser can lead to denial of service attacks by allowing a malicious server to exhaust a client's memory resources. Updating to version .3.8, .4.19, or .5.6 or higher of the Net::IMAP module and following the GitHub Security Advisory's recommendations can effectively secure your Ruby applications from potential exploits. Make sure to keep your software up-to-date and stay informed about new security vulnerabilities and patches.

Timeline

Published on: 02/10/2025 16:15:39 UTC