Denial of Service via Memory Exhaustion in Net::IMAP <0.5.7
CVE-2025-43857 Published on April 28, 2025
net-imap rubygem vulnerable to possible DoS by memory exhaustion
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5, there is a possibility for denial of service by memory exhaustion when net-imap reads server responses. At any time while the client is connected, a malicious server can send can send a "literal" byte count, which is automatically read by the client's receiver thread. The response reader immediately allocates memory for the number of bytes indicated by the server response. This should not be an issue when securely connecting to trusted IMAP servers that are well-behaved. It can affect insecure connections and buggy, untrusted, or compromised servers (for example, connecting to a user supplied hostname). This issue has been patched in versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5.
Weakness Types
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2025-43857 has been classified to as a Resource Exhaustion vulnerability or weakness.
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
What is a Stack Exhaustion Vulnerability?
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
CVE-2025-43857 has been classified to as a Stack Exhaustion vulnerability or weakness.
What is an Amplification Vulnerability?
Software that does not appropriately monitor or control resource consumption can lead to adverse system performance. This situation is amplified if the software allows malicious users or attackers to consume more resources than their access level permits. Exploiting such a weakness can lead to asymmetric resource consumption, aiding in amplification attacks against the system or the network.
CVE-2025-43857 has been classified to as an Amplification vulnerability or weakness.
Products Associated with CVE-2025-43857
Want to know whenever a new CVE is published for Ruby Programming Language Net? stack.watch will email you.
Affected Versions
ruby net-imap:- Version >= 0.5.0, < 0.5.7 is affected.
- Version >= 0.4.0, < 0.4.20 is affected.
- Version >= 0.3.0, < 0.3.9 is affected.
- Version >= 0, < 0.2.5 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2025-43857
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| rubygems | net-imap | >= 0.5.0, <= 0.5.6 | 0.5.7 |
| rubygems | net-imap | >= 0.4.0, <= 0.4.19 | 0.4.20 |
| rubygems | net-imap | >= 0.3.0, <= 0.3.8 | 0.3.9 |
| rubygems | net-imap | >= 0, <= 0.2.4 | 0.2.5 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.