Net::IMAP, CRLF Injection / IMAP Command Injection via Symbol Arguments, CVE-2026-42258 (Moderate)

By /

Listen to this Post

How the CVE works:

  1. The vulnerability exists in Ruby’s `net-imap` library when handling Symbol arguments passed to IMAP commands.
  2. Symbol arguments represent IMAP “system flags” and are formatted as atoms with no quoting, prefixed by a `\` character.
  3. Vulnerable versions send the symbol name directly to the server socket without any validation.
  4. Because symbol input is unvalidated, it may contain invalid flag characters including SP (space) and CRLF (carriage return + line feed).
  5. An attacker can inject a CRLF sequence to terminate the current IMAP command and start a new one, such as DELETE mailbox.
  6. Although IMAP flag arguments are only valid for a few commands, most `Net::IMAP` commands use generic argument handling and allow Symbol (flag) inputs.
  7. Valid symbol inputs should be restricted to an enumerated set of standard RFC-defined flag types; user-provided values outside this list should use IMAP keyword syntax, which sends them as strings(atoms).
  8. Calling `to_sym` on unvetted user input is always a bug, as it turns untrusted data into a symbol that is directly embedded in the IMAP stream.
    9. `Net::IMAP` itself does not restrict flag inputs to an enumerated list for forward compatibility; validation is the responsibility of the calling application.
  9. If a developer passes user-controlled input as a Symbol to most `Net::IMAP` commands, an attacker can inject arbitrary IMAP commands after a CRLF.

DailyCVE Form

Platform: Ruby net-imap(RubyGems)
Version:0.6.0 ⬌ 0.6.3 / 0.5.0 ⬌ 0.5.13 / 0 ⬌ 0.4.23
Vulnerability: CRLF injection / IMAP Command Injection
Severity: Moderate
Date: 2026-04-24

Prediction:2026-04-24(patched versions 0.6.4, 0.5.14, 0.4.24 released)

Analytics — What Undercode Say

Check installed net-imap version
gem list net-imap
Vulnerable ranges
vulnerable_versions = [
{ start: "0.6.0", end: "0.6.3" },
{ start: "0.5.0", end: "0.5.13" },
{ start: "0", end: "0.4.23" }
]
Update to patched version
gem update net-imap
In Gemfile
gem 'net-imap', '>= 0.6.4'

Exploit

An attacker can inject malicious IMAP commands by providing a symbol that includes a CRLF sequence. Example injection:

`:INBOX\r\nDELETE INBOX`

The CRLF terminates the current command, and `DELETE INBOX` is executed as a new IMAP command.

Protection from this CVE

  • Upgrade to `net-imap` 0.6.4, 0.5.14, or 0.4.24.
  • Never call `to_sym` on unsanitized user input.
  • Do not deserialize untrusted data (e.g., via YAML or Marshal) into symbols.
  • Hard-code allowed flags or validate them against a strict whitelist at the application layer.

Impact

If a developer passes user-controlled input as a Symbol to most `Net::IMAP` commands, an attacker can execute arbitrary IMAP commands (e.g., DELETE mailbox), potentially leading to mailbox deletion, data loss, or further server exploitation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top