Skip to content

Commit f338a3b

Browse files
nevansnevans
committed
Add CVE-2025-25186: DoS vulnerability in net-imap
1 parent e3d5083 commit f338a3b

File tree

2 files changed

+58
-0
lines changed

2 files changed

+58
-0
lines changed

en/news/_posts/2025-02-10-dos-net-imap-cve-2025-25186.md

+29
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
---
2+
layout: news_post
3+
title: "CVE-2025-25186: DoS vulnerability in net-imap"
4+
author: "nevans"
5+
translator:
6+
date: 2025-02-11 03:00:00 +0000
7+
tags: security
8+
lang: en
9+
---
10+
11+
There is a possibility for DoS by in the net-imap gem. This vulnerability has been assigned the CVE identifier [CVE-2025-25186](https://www.cve.org/CVERecord?id=CVE-2025-25186). We recommend upgrading the net-imap gem.
12+
13+
## Details
14+
15+
A malicious server can send highly compressed uid-set data which is automatically read by the client's receiver thread. The response parser uses Range#to_a to convert the uid-set data into arrays of integers, with no limitation on the expanded size of the ranges.
16+
17+
Please update net-imap gem to version 0.3.8, 0.4.19, 0.5.6, or later.
18+
19+
## Affected versions
20+
21+
* net-imap gem between 0.3.2 and 0.3.8, 0.4.0 and 0.4.19, or 0.5.0 and 0.5.6
22+
23+
## Credits
24+
25+
Thanks to [manun](https://hackerone.com/manun) for discovering this issue.
26+
27+
## History
28+
29+
* Originally published at 2025-02-11 03:00:00 (UTC)

en/news/_posts/2025-02-11-dos-net-imap-cve-2025-25186.md

+29
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
---
2+
layout: news_post
3+
title: "CVE-2025-25186: DoS vulnerability in net-imap"
4+
author: "nevans"
5+
translator:
6+
date: 2025-02-11 03:00:00 +0000
7+
tags: security
8+
lang: en
9+
---
10+
11+
There is a possibility for DoS by in the net-imap gem. This vulnerability has been assigned the CVE identifier [CVE-2025-25186](https://www.cve.org/CVERecord?id=CVE-2025-25186). We recommend upgrading the net-imap gem.
12+
13+
## Details
14+
15+
A malicious server can send highly compressed uid-set data which is automatically read by the client's receiver thread. The response parser uses Range#to_a to convert the uid-set data into arrays of integers, with no limitation on the expanded size of the ranges.
16+
17+
Please update net-imap gem to version 0.3.8, 0.4.19, 0.5.6, or later.
18+
19+
## Affected versions
20+
21+
* net-imap gem between 0.3.2 and 0.3.8, 0.4.0 and 0.4.19, or 0.5.0 and 0.5.6
22+
23+
## Credits
24+
25+
Thanks to [manun](https://hackerone.com/manun) for discovering this issue.
26+
27+
## History
28+
29+
* Originally published at 2025-02-11 03:00:00 (UTC)

0 commit comments

Comments
 (0)