Bug #21130
Updated by nevans (Nicholas Evans) 3 months ago
The bundled versions are vulnerable to CVE-2024-25186 (GHSA-7fc5-f82f-cx69). (https://www.cve.org/CVERecord?id=CVE-2025-25186). Fixing the issue requires upgrading to v0.3.8, v0.4.19, or v0.5.4. * ruby 3.2.7 bundles net-imap v0.3.4.1 PR: Bump net-imap to 0.3.8 for Ruby 3.2 https://github.com/ruby/ruby/pull/12733 * ruby 3.3.7 bundles net-imap v0.4.9.1 PR: Bump net-imap to 0.4.19 for Ruby 3.3 https://github.com/ruby/ruby/pull/12732 * ruby 3.4.1 bundles net-imap v0.5.4 PR: Bump net-imap to v0.5.6 for Ruby 3.4 https://github.com/ruby/ruby/pull/12731 The workaround is to uninstall the vulnerable bundled versions and `gem install net-imap`. Security Advisory Links: * https://www.cve.org/CVERecord?id=CVE-2025-25186 * https://github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69