CVE-2025-25186

CVSS 3.1 Score 6.5 of 10 (medium)

Details

Published Feb 10, 2025

CWE ID 409

CWE ID 400

CWE ID 789

CWE ID 1287

CWE ID 770

CWE ID 405

Summary

CVE-2025-25186 is a denial-of-service vulnerability affecting the Net::IMAP library, which provides Internet Message Access Protocol (IMAP) client functionality in Ruby. Versions prior to 0.3.8, 0.4.19, and 0.5.6 are vulnerable. A malicious server can exploit this issue by sending highly compressed `uid-set` data, causing memory exhaustion in the response parser during automatic reading by the client's receiver thread. The parser uses `Range#to_a` to convert the `uid-set` data into arrays of integers without size limitation, leading to potential memory exhaustion. Vulnerable versions can be upgraded to 0.3.8, 0.4.19, 0.5.6, or higher for a fix. Additional details on proper configuration and backward compatibility are provided in the GitHub Security Advisory.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Advisories, Assessments, and Mitigations

Back to Vulnerability Database