CVE-2025-43857 Overview
CVE-2025-43857 is a denial-of-service vulnerability in the Ruby net-imap library, which implements Internet Message Access Protocol (IMAP) client functionality. A malicious or compromised IMAP server can send a crafted literal byte count that the client's receiver thread reads automatically. The response reader immediately allocates memory matching the server-supplied size, enabling memory exhaustion of the client process.
The issue affects connections to untrusted, buggy, or compromised IMAP servers, including scenarios where the server hostname is user-supplied. Versions prior to 0.5.7, 0.4.20, 0.3.9, and 0.2.5 are affected.
Critical Impact
A remote IMAP server can exhaust client memory by sending a single oversized literal byte count, terminating Ruby applications that connect to attacker-controlled or compromised mail servers.
Affected Products
- Ruby net-imap versions prior to 0.5.7 (5.x branch)
- Ruby net-imap versions prior to 0.4.20, 0.3.9, and 0.2.5 (older maintained branches)
- Ruby applications that connect to user-supplied or untrusted IMAP server hostnames
Discovery Timeline
- 2025-04-28 - CVE-2025-43857 published to NVD
- 2025-11-21 - Last updated in NVD database
Technical Details for CVE-2025-43857
Vulnerability Analysis
The net-imap library parses IMAP server responses on a dedicated receiver thread. IMAP responses can include literal strings prefixed with a byte count in the form {N}, where N indicates the number of bytes to follow. The client honors this count by pre-allocating a buffer sized to N before reading the payload from the socket.
No upper bound is enforced on N. A malicious server can advertise an arbitrarily large literal size, causing the Ruby process to allocate memory until the operating system terminates it or the host becomes unresponsive. The flaw maps to [CWE-400] Uncontrolled Resource Consumption and [CWE-770] Allocation of Resources Without Limits or Throttling.
The vulnerability requires an active IMAP connection to a hostile endpoint. It does not yield code execution or data disclosure, but it can disrupt any service that programmatically connects to IMAP servers, including mail aggregators, webmail backends, and automation scripts that accept user-supplied IMAP hosts.
Root Cause
The response reader trusts the server-supplied literal byte count and allocates the corresponding buffer before validating size against available memory or any configured ceiling. Trusting unauthenticated protocol input for allocation sizing is the core defect.
Attack Vector
The attacker controls or operates the IMAP server the victim connects to. After the TCP connection is established, the server emits a response containing an oversized literal length. The client's receiver thread reads the size, allocates memory, and crashes. Exploitation requires user interaction in the form of initiating an IMAP session, often through an application feature that lets users specify a mail server.
No authentication is required because the malicious response can be sent before or during authentication exchanges over the same connection.
Detection Methods for CVE-2025-43857
Indicators of Compromise
- Ruby application processes terminated by the OOM killer shortly after initiating IMAP connections
- Sudden memory spikes in worker processes that perform outbound IMAP traffic on TCP/143 or TCP/993
- Application logs showing NoMemoryError exceptions originating from Net::IMAP response parsing
- Outbound IMAP connections to unexpected or low-reputation hostnames supplied by end users
Detection Strategies
- Inventory Ruby applications and Gemfile.lock entries to identify net-imap versions below 0.5.7, 0.4.20, 0.3.9, or 0.2.5
- Correlate process crash events with outbound IMAP socket activity to flag suspicious server responses
- Inspect network telemetry for IMAP responses containing unusually large literal byte counts in the {N} syntax
Monitoring Recommendations
- Alert on Ruby process memory growth exceeding baselines when IMAP sockets are open
- Track outbound connections to TCP/143 and TCP/993 destinations, especially toward user-supplied hostnames
- Monitor application error logs for repeated Net::IMAP allocation failures or thread terminations
How to Mitigate CVE-2025-43857
Immediate Actions Required
- Upgrade net-imap to 0.5.7, 0.4.20, 0.3.9, or 0.2.5 depending on the supported branch in use
- Audit applications that accept user-supplied IMAP hostnames and restrict them to allowlisted servers where feasible
- Enforce TLS (imaps://) connections to trusted providers to reduce exposure to man-in-the-middle response injection
Patch Information
The maintainers patched the issue in net-imap versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5. The fix bounds the size of literal allocations and rejects responses exceeding the configured limit. See the GitHub Security Advisory GHSA-j3g3-5qv5-52mj and the corresponding pull requests #442, #445, #446, and #447.
Workarounds
- Restrict outbound IMAP connections to a vetted list of trusted mail providers via egress firewall rules
- Run IMAP-consuming workers under strict memory limits (cgroups, container limits) so a crash does not impact other services
- Reject user-supplied IMAP hostnames or require administrator approval before allowing new server endpoints
# Update the net-imap gem to a patched release
bundle update net-imap
# Or pin a fixed version in the Gemfile
# gem 'net-imap', '>= 0.5.7'
# Verify the installed version
bundle list | grep net-imap
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
