CVE-2025-25186 – Net::IMAP vulnerable to possible DoS by memory exhaustion

https://notcve.org/view.php?id=CVE-2025-25186

10 Feb 2025 — Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time while the client is connected, a malicious server can send can send highly compressed `uid-set` data which is automatically read by the client's receiver thread. The response parser uses `Range#to_a` to convert the `uid-set` data into a... • https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35 • CWE-400: Uncontrolled Resource Consumption CWE-405: Asymmetric Resource Consumption (Amplification) CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) CWE-770: Allocation of Resources Without Limits or Throttling CWE-789: Memory Allocation with Excessive Size Value CWE-1287: Improper Validation of Specified Type of Input •