CVE-2026-42257

CVE-2026-42257 is a medium-severity command injection vulnerability in net-imap (rubygems), affecting versions >= 0.6.0, <= 0.6.3. It is fixed in 0.6.4, 0.5.14, 0.4.24.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

net-imap vulnerable to command Injection via "raw" arguments to multiple commands

Several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands.

Details

Net::IMAP's generic argument handling, used by most command arguments, interprets string arguments as an IMAP astring. Depending on the string contents and the connection's UTF-8 support, this encodes strings as either a atom, quoted, or literal. These are safe from command or argument injection.

But the following commands transform specific String arguments to Net::IMAP::RawData, which bypasses normal argument validation and encoding and prints the string directly to the socket:

  • #uid_search, #search, #uid_sort, #sort, #uid_thread, #thread
    • when criteria is a String, it is sent raw
  • #uid_fetch, `#fetch
    • when attr is a String, it is sent raw
    • when attr is an Array, each String in attr is sent raw
  • #uid_store, #store
    • when attr is a String, it is sent raw
  • #setquota:
    • limit is interpolated with #to_s and that string is sent raw

Because these string arguments are sent without any neutralization, they serve as a direct vector for command splitting. Any user controlled data interpolated into these strings can be used to break out of the intended command context.

Using "raw data" arguments for #uid_store, #store, and #setquota I both inappropriate and unnecessary. Net::IMAP's generic argument handling is sufficient to safely validate and encode their arguments. Users of the library probably do not expect arguments to these commands to be sent raw and might not be wary of passing unvalidated input.

The API for search criteria and fetch attributes is intentionally low-level and "close to the wire". It allows developers to use some IMAP extensions without requiring explicit support from the library and allows developers to use complex IMAP grammar without complex argument translation. Even so, basic validation is appropriate and could neutralize command injection.

Although this was explicitly documented for search criteria, it was insufficiently documented for fetch attr. So developers may not have realized that the attr argument to #fetch and #uid_fetch is sent as "raw data".

Mitigation

  • Update to a patched version of net-imap which:
    • validates that Net::IMAP::RawData is composed of well-formed IMAP text, literal, and literal8 values, with no unescaped NULL, CR, or LF bytes.
    • does not use Net::IMAP::RawData for #store, #uid_store, or #setquota.
  • Prefer to send search criteria as an array of key value pairs. Avoid sending it as an interpolated string.
  • If an immediate upgrade is not possible:
    • String inputs to search criteria and fetch attributes can be validated against command injection by checking for \r and \n characters.
    • Hard-coding the store attr argument is often appropriate. Alternatively, user controlled inputs can be restricted to a small enumerated list which is valid for the calling application.
    • Use Kernel#Integer to coerce and validate user controlled inputs to #setquota limit.

Impact

If a developer passes an unvalidated user-controlled input for one of these method arguments, an attacker can append CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not directly enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system's attributes, e.g.: shared mail folders or the application's installed response handlers.

The SEARCH, STORE, and FETCH commands, and their UID variants are some of the most commonly used features of the library. Applications that build search queries or fetch attributes dynamically based on user input (e.g., mail clients or archival tools) may be at significant risk.

The SORT and THREAD commands and their UID variants also handle their search criteria argument similarly to SEARCH and are subject to the same risk.

Expected use of Net::IMAP#setquota is much more limited: SETQUOTA is often only usable by users with special administrative privileges. Depending on the server, quota administration might be managed through server configuration rather than via the IMAP protocol SETQUOTA command. It is expected to be uncommonly used in system administration scripts or in interactive sessions, it should be completely controlled by trusted users, and should only use trusted inputs. Calling #setquota with untrusted user input is expected to be a very uncommon use case. Please note however this might be combined with other attacks, for example CSRF, which provide unauthorized access to trusted inputs, and may specifically target users or scripts with administrator privileges.

Untrusted input is inserted into a command that is later executed by the application, allowing the attacker to alter the intent of that command. Typical impact: arbitrary command execution in the application's environment.

Affected versions

net-imap (>= 0.6.0, <= 0.6.3) net-imap (>= 0.5.0, <= 0.5.13) net-imap (>= 0, <= 0.4.23)

Security releases

net-imap → 0.6.4 (rubygems) net-imap → 0.5.14 (rubygems) net-imap → 0.4.24 (rubygems)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade the following packages to resolve this vulnerability:

net-imap to 0.6.4 or later; net-imap to 0.5.14 or later; net-imap to 0.4.24 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-42257? CVE-2026-42257 is a medium-severity command injection vulnerability in net-imap (rubygems), affecting versions >= 0.6.0, <= 0.6.3. It is fixed in 0.6.4, 0.5.14, 0.4.24. Untrusted input is inserted into a command that is later executed by the application, allowing the attacker to alter the intent of that command.
  2. Which versions of net-imap are affected by CVE-2026-42257? net-imap (rubygems) versions >= 0.6.0, <= 0.6.3 is affected.
  3. Is there a fix for CVE-2026-42257? Yes. CVE-2026-42257 is fixed in 0.6.4, 0.5.14, 0.4.24. Upgrade to this version or later.
  4. Is CVE-2026-42257 exploitable, and should I be worried? Whether CVE-2026-42257 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-42257 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-42257?
    • Upgrade net-imap to 0.6.4 or later
    • Upgrade net-imap to 0.5.14 or later
    • Upgrade net-imap to 0.4.24 or later

Other vulnerabilities in net-imap

Stop the waste.
Protect your environment with Kodem.