Uncontrolled Resource Consumption
CVE-2025-43857
Summary
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. There is a possibility for Denial-of-service by memory exhaustion when net-imap reads server responses. At any time while the client is connected, a malicious server can send a "literal" byte count, which is automatically read by the client's receiver thread. The response reader immediately allocates memory for the number of bytes indicated by the server response. This should not be an issue when securely connecting to trusted IMAP servers that are well-behaved. It can affect insecure connections and buggy, untrusted, or compromised servers (for example, connecting to a user-supplied hostname). This issue affects versions prior to 0.2.5, 0.3.x prior to 0.3.9, 0.4.x prior to 0.4.20, and 0.5.x prior to 0.5.7.
- LOW
- NETWORK
- NONE
- UNCHANGED
- REQUIRED
- NONE
- NONE
- HIGH
CWE-400 - Uncontrolled resource consumption
An uncontrolled resource allocation attack (also known as resource exhaustion attack) triggers unauthorized overconsumption of the limited resources in an application, such as memory, file system storage, database connection pool entries, and CPU. This may lead to denial of service for valid users and degradation of the application's functionality as well as that of the host operating system.
References
Advisory Timeline
- Published
