CVE-2026-47242: 
Ruby 脆弱性の分析と軽減

CVE-2026-47242 is a command injection vulnerability in Ruby's net-imap gem affecting the Net::IMAP#id and Net::IMAP#enable methods, which fail to validate their arguments, allowing injection of arbitrary IMAP commands. It affects net-imap versions >= 0.6.0 through <= 0.6.4 and all versions <= 0.5.14. The vulnerability was published on June 9, 2026, with patched versions 0.6.4.1 and 0.5.15 released the same day. It carries a CVSS v4.0 base score of 5.8 (Medium) per the GitHub Advisory Database (GitHub Advisory, ruby/net-imap Advisory).

The root cause is improper input validation in two Net::IMAP client commands, classified as CWE-77 (Command Injection) and CWE-93 (CRLF Injection). In Net::IMAP#id, ID field value strings are correctly quoted to escape special characters, but CRLF sequences (\r\n) are not prohibited, allowing an attacker to terminate the current IMAP command and inject a new one. In Net::IMAP#enable, arguments are processed for aliases but not validated as proper IMAP atoms; the #to_s value is sent verbatim to the server, enabling injection of arbitrary content. Exploitation requires that the application passes untrusted user input to either of these methods — a condition the advisory notes is expected to be uncommon (GitHub Advisory, ruby/net-imap Advisory).

Successful exploitation allows an attacker to inject arbitrary IMAP commands into the session, with high integrity impact on the vulnerable system (e.g., issuing commands such as DELETE mailbox). Confidentiality is not directly impacted, but injected commands could be combined with knowledge of shared mail folders or application-specific response handlers to facilitate further attacks. Availability impact is rated low, and there is no assessed impact on subsequent systems (GitHub Advisory).

1. Identify a vulnerable application: Find a Ruby application using net-imap versions <= 0.5.14 or >= 0.6.0 and <= 0.6.4 that passes user-controlled input to Net::IMAP#id (as a hash value) or Net::IMAP#enable (as an argument).
2. Craft a malicious payload: Construct an input string containing a CRLF sequence (\r\n) followed by a complete IMAP command, e.g., legitimate_value\r\nA001 DELETE INBOX for the #id method, or an arbitrary atom-like string for #enable.
3. Deliver the payload: Supply the crafted string through whatever input channel the application exposes (e.g., a configuration field, user-supplied client identifier, or version string) that is subsequently passed to the vulnerable method.
4. Trigger IMAP command injection: When the application calls Net::IMAP#id or Net::IMAP#enable with the tainted input, the CRLF sequence causes the IMAP server to interpret the injected text as a separate command, executing it in the context of the established IMAP session (GitHub Advisory, ruby/net-imap Advisory).

• Network: Unexpected or malformed IMAP commands observed in network traffic following an ID or ENABLE command, particularly commands containing CRLF sequences mid-stream; unusual IMAP operations (e.g., DELETE, RENAME, STORE) immediately following ID or ENABLE commands in the same session.
• Logs: IMAP server logs showing unexpected command sequences or errors immediately after ID or ENABLE commands from a client; application logs reflecting anomalous IMAP responses or errors tied to Net::IMAP#id or Net::IMAP#enable calls.
• Application Behavior: Unexpected mailbox deletions, renames, or flag changes on the IMAP server that correlate with application activity involving user-supplied input to IMAP client ID fields.

Update net-imap to version 0.6.4.1 (for the 0.6.x branch) or 0.5.15 (for the 0.5.x branch), which add validation to reject CRLF sequences in #id arguments and enforce atom validation for #enable arguments. If upgrading is not immediately possible, ensure that no untrusted user input is passed to Net::IMAP#id client ID field values or Net::IMAP#enable arguments; add application-level validation to reject any input containing CR (\r) or LF (\n) bytes before passing to these methods. The advisory explicitly states that untrusted input should never be used for #enable arguments regardless of gem version (GitHub Advisory, net-imap v0.6.4.1 Release).

The vulnerability was discovered and reported by nevans (Nicholas A. Evans), the primary maintainer of the ruby/net-imap repository, who also authored the fixes. The advisory was published and reviewed on the same day (June 9, 2026), with the patch released simultaneously. No significant broader media coverage or notable external researcher commentary has been identified beyond the official advisory and scanner detections by Qualys and Nessus (GitHub Advisory, net-imap v0.6.4.1 Release).