CVE-2025-25186 Overview
CVE-2025-25186 is a Memory Exhaustion Denial of Service vulnerability in the Net::IMAP library, which provides Internet Message Access Protocol (IMAP) client functionality in Ruby. The vulnerability exists in the response parser's handling of uid-set data, where a malicious IMAP server can send highly compressed uid-set ranges that are automatically expanded into memory-consuming arrays.
Starting in version 0.3.2, the response parser uses Range#to_a to convert uid-set data into arrays of integers without any limitation on the expanded size of the ranges. This allows an attacker controlling a malicious IMAP server to craft responses containing compressed uid-set data that expands to enormous arrays, exhausting available memory on the client system.
Critical Impact
A malicious IMAP server can cause denial of service through memory exhaustion on any Ruby application using vulnerable versions of Net::IMAP by sending specially crafted uid-set responses.
Affected Products
- Net::IMAP versions 0.3.2 through 0.3.7
- Net::IMAP versions 0.4.0 through 0.4.18
- Net::IMAP versions 0.5.0 through 0.5.5
Discovery Timeline
- 2025-02-10 - CVE-2025-25186 published to NVD
- 2025-02-10 - Last updated in NVD database
Technical Details for CVE-2025-25186
Vulnerability Analysis
This vulnerability (CWE-400: Uncontrolled Resource Consumption) affects the Net::IMAP response parser in Ruby applications. The attack occurs when a connected IMAP client receives responses from a malicious server containing specially crafted uid-set data.
The vulnerability specifically targets the DeprecatedUIDPlus function in the response parser, which processes COPYUID and APPENDUID response codes. When parsing uid-set data, the original code would call .each_ordered_number.to_a on the uid-set ranges, converting them directly into arrays without bounds checking. A range like 1:4294967295 (representing all possible UIDs) would be expanded into an array containing billions of integers, quickly exhausting system memory.
The attack is particularly dangerous because the client's receiver thread automatically reads and processes server responses. An attacker doesn't need to wait for specific client actions—they simply need the client to connect to their malicious server, then send the crafted response at any time during the connection.
Root Cause
The root cause is the lack of size validation when converting compressed uid-set range data into expanded integer arrays. The original implementation trusted server-provided uid-set ranges to be reasonable in size, calling Range#to_a on arbitrary ranges without checking the potential expanded size. This violates the security principle of never trusting external input, especially from network sources.
The vulnerable code pattern was:
src_uids &&= src_uids.each_ordered_number.to_a
dst_uids = dst_uids.each_ordered_number.to_a
This allowed unbounded expansion of compact range representations into memory-consuming arrays.
Attack Vector
The attack requires a victim application to connect to a malicious IMAP server controlled by the attacker. The attack vector is network-based and requires user interaction (the user must initiate or configure a connection to the malicious server). Once connected, the malicious server can send crafted responses at any time to trigger memory exhaustion.
The patched code introduces MAX_UID_SET_SIZE and bounds checking:
# Security patch in lib/net/imap/response_parser.rb
# Source: https://github.com/ruby/net-imap/commit/cb92191b1ddce2d978d01b56a0883b6ecf0b1022
class ResponseParser
MAX_UID_SET_SIZE = 10_000
def initialize
@str = nil
The fix in the DeprecatedUIDPlus function validates sizes before expansion:
# Security patch in lib/net/imap/response_parser.rb
# Source: https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35
# TODO: remove this code in the v0.6.0 release
def DeprecatedUIDPlus(validity, src_uids = nil, dst_uids)
return unless config.parser_use_deprecated_uidplus_data
compact_uid_sets = [src_uids, dst_uids].compact
count = compact_uid_sets.map { _1.count_with_duplicates }.max
max = config.parser_max_deprecated_uidplus_data_size
if count <= max
src_uids &&= src_uids.each_ordered_number.to_a
dst_uids = dst_uids.each_ordered_number.to_a
UIDPlusData.new(validity, src_uids, dst_uids)
elsif config.parser_use_deprecated_uidplus_data != :up_to_max_size
parse_error("uid-set is too large: %d > %d", count, max)
end
end
Detection Methods for CVE-2025-25186
Indicators of Compromise
- Unusual memory consumption spikes in Ruby applications using Net::IMAP
- Application crashes or out-of-memory (OOM) errors during IMAP operations
- IMAP connections to unknown or untrusted mail servers
- Log entries showing abnormally large uid-set ranges in IMAP responses
Detection Strategies
- Monitor memory usage patterns of Ruby applications that implement IMAP client functionality
- Implement application-level logging for IMAP response sizes and uid-set ranges
- Use dependency scanning tools to identify vulnerable Net::IMAP versions in your codebase
- Configure memory limits and resource constraints for Ruby processes handling IMAP connections
Monitoring Recommendations
- Set up alerts for abnormal memory growth in IMAP-enabled Ruby applications
- Monitor for OOM killer events on systems running vulnerable applications
- Track outbound connections from applications to untrusted IMAP servers
- Review application logs for parser errors or unexpected disconnections during IMAP operations
How to Mitigate CVE-2025-25186
Immediate Actions Required
- Update Net::IMAP to patched versions: 0.3.8, 0.4.19, 0.5.6, or higher
- Review your Ruby application dependencies using bundle audit or similar tools
- Set parser_use_deprecated_uidplus_data to false in Net::IMAP configuration to completely block the vulnerability
- Ensure applications only connect to trusted IMAP servers
Patch Information
Security patches have been released in Net::IMAP versions 0.3.8, 0.4.19, and 0.5.6. The patches introduce a configurable maximum size limit (parser_max_deprecated_uidplus_data_size) for uid-set expansion, with a default value of 10_000 entries. Additional configuration options provide backward compatibility while allowing security-conscious deployments to completely disable the vulnerable code path.
For detailed configuration guidance and backward compatibility information, refer to the GitHub Security Advisory GHSA-7fc5-f82f-cx69.
Relevant commits:
Workarounds
- Disable deprecated UIDPlus data parsing by setting parser_use_deprecated_uidplus_data to false
- Configure parser_max_deprecated_uidplus_data_size to a low value appropriate for your use case
- Implement memory limits on Ruby processes using container orchestration or system-level controls
- Only connect to known and trusted IMAP servers
# Configuration example for Net::IMAP
# Disable vulnerable deprecated UIDPlus parsing entirely
Net::IMAP.config.parser_use_deprecated_uidplus_data = false
# Or limit the maximum size of uid-set expansion
Net::IMAP.config.parser_max_deprecated_uidplus_data_size = 1000
# Use :up_to_max_size to silently truncate instead of raising errors
Net::IMAP.config.parser_use_deprecated_uidplus_data = :up_to_max_size
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
