{"id":"GHSA-q2mw-fvj9-vvcw","summary":"net-imap has quadratic complexity when reading response literals","details":"### Summary\n\n`Net::IMAP::ResponseReader` has quadratic time complexity when reading large responses containing many string literals.  A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack.\n\n### Details\n\nFor each literal in a response, `ResponseReader` rescans the entire growing response buffer.  The regular expression that is used to scan the response buffer runs in linear time.  With many literals, this becomes O(n²) total work.  The regular expression should run in constant time: it is anchored to the end and only the last 23 bytes of the buffer are relevant.\n\nBecause the algorithmic complexity is super-linear, this bypasses protection from `max_response_size`: a response can stay well below the default size limit while still causing very large CPU cost.\n\n`Net::IMAP::ResponseReader` runs continuously in the receiver thread until the connection closes.\n\n### Impact\n\nThis consumes disproportionate CPU time in the client's receiver thread.  A hostile server could use this to exhaust the client's CPU for a denial of service attack.\n\nFor a response near the default `max_response_size`, each individual regexp scan could take between 100 to 200ms on common modern hardware, and this may be repeated 200k times per megabyte of response.  While the regexp is scanning, it retains the Global VM lock, preventing other threads from running.\n\nAlthough other threads should not be _completely_ blocked, their run time will be significantly impacted.\n\n### Mitigation\n\n* Upgrade to a patched version of net-imap that reads responses more efficiently.\n* Do not connect to untrusted IMAP servers.\n* When connecting to untrusted servers, a _much_ smaller `max_response_size` (for example: 8KiB) will limit the impact.  Although this is too small for fetching unpaginated message bodies, it should be enough for most other operations.","aliases":["CVE-2026-42245"],"modified":"2026-05-13T13:56:25.745702Z","published":"2026-05-04T22:02:56Z","related":["CGA-c5qg-5r4v-5f7j"],"database_specific":{"nvd_published_at":"2026-05-09T20:16:28Z","cwe_ids":["CWE-407"],"github_reviewed_at":"2026-05-04T22:02:56Z","severity":"LOW","github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/ruby/net-imap/security/advisories/GHSA-q2mw-fvj9-vvcw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42245"},{"type":"WEB","url":"https://github.com/ruby/net-imap/commit/6091f7d6b1f3514cafbfe39c76f2b5d73de3ca96"},{"type":"WEB","url":"https://github.com/ruby/net-imap/commit/88d95231fc8afef11c1f074453f7d75b68c9dfda"},{"type":"WEB","url":"https://github.com/ruby/net-imap/commit/de685f91a4a4cc75eb80da898c2bf8af08d34819"},{"type":"PACKAGE","url":"https://github.com/ruby/net-imap"},{"type":"WEB","url":"https://github.com/ruby/net-imap/releases/tag/v0.4.24"},{"type":"WEB","url":"https://github.com/ruby/net-imap/releases/tag/v0.5.14"},{"type":"WEB","url":"https://github.com/ruby/net-imap/releases/tag/v0.6.4"}],"affected":[{"package":{"name":"net-imap","ecosystem":"RubyGems","purl":"pkg:gem/net-imap"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.6.0"},{"fixed":"0.6.4"}]}],"versions":["0.6.0","0.6.1","0.6.2","0.6.3"],"database_specific":{"last_known_affected_version_range":"\u003c= 0.6.3","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-q2mw-fvj9-vvcw/GHSA-q2mw-fvj9-vvcw.json"}},{"package":{"name":"net-imap","ecosystem":"RubyGems","purl":"pkg:gem/net-imap"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.5.0"},{"fixed":"0.5.14"}]}],"versions":["0.5.0","0.5.1","0.5.10","0.5.11","0.5.12","0.5.13","0.5.2","0.5.3","0.5.4","0.5.5","0.5.6","0.5.7","0.5.8","0.5.9"],"database_specific":{"last_known_affected_version_range":"\u003c= 0.5.13","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-q2mw-fvj9-vvcw/GHSA-q2mw-fvj9-vvcw.json"}},{"package":{"name":"net-imap","ecosystem":"RubyGems","purl":"pkg:gem/net-imap"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.4.24"}]}],"versions":["0.1.0","0.1.1","0.2.0","0.2.1","0.2.2","0.2.3","0.2.4","0.2.5","0.3.0","0.3.1","0.3.10","0.3.2","0.3.3","0.3.4","0.3.4.1","0.3.5","0.3.6","0.3.7","0.3.8","0.3.9","0.4.0","0.4.1","0.4.10","0.4.11","0.4.12","0.4.13","0.4.14","0.4.15","0.4.16","0.4.17","0.4.18","0.4.19","0.4.2","0.4.20","0.4.21","0.4.22","0.4.23","0.4.3","0.4.4","0.4.5","0.4.6","0.4.7","0.4.8","0.4.9","0.4.9.1"],"database_specific":{"last_known_affected_version_range":"\u003c= 0.4.23","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-q2mw-fvj9-vvcw/GHSA-q2mw-fvj9-vvcw.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"}]}