Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-43857
CVE-2025-43857:
Ruby vulnerability analysis and mitigation
Overview
Net::IMAP, which implements Internet Message Access Protocol (IMAP) client functionality in Ruby, contains a vulnerability (CVE-2025-43857) discovered on April 26, 2025. The vulnerability affects versions prior to 0.5.7, 0.4.20, 0.3.9, and 0.2.5, allowing a malicious server to trigger a denial of service through memory exhaustion when net-imap reads server responses (GitHub Advisory).
Technical details
The vulnerability stems from the IMAP protocol's handling of 'literal' strings in responses. When Net::IMAP receives a response containing a literal string prefixed with its size in curly braces, it calls IO#read with that size, immediately allocating memory for the number of bytes indicated without any size limitations. The vulnerability has been assigned a CVSS v4.0 score of 6.0 (Moderate) and is tracked under multiple CWE categories including CWE-400 (Uncontrolled Resource Consumption), CWE-405 (Asymmetric Resource Consumption), CWE-770 (Allocation of Resources Without Limits or Throttling), and CWE-789 (Memory Allocation with Excessive Size Value) (GitHub Advisory, NVD).
Impact
The vulnerability primarily affects systems connecting to untrusted, buggy, or compromised IMAP servers. When exploited, it can lead to denial of service through memory exhaustion, as the client automatically allocates memory based on the server's response size indication. This can result in system performance degradation or crashes when connecting to malicious IMAP servers (GitHub Advisory).
Mitigation and workarounds
The vulnerability has been patched in versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5. The fix introduces a configurable maxresponsesize limit to Net::IMAP's response reader. For versions 0.4.20 and later, users can set a global maxresponsesize limit. The default limit in version 0.5.7 is set to 512MiB, while earlier patched versions default to unlimited. When connecting to untrusted servers, it's recommended to set a lower maxresponsesize value (GitHub Advisory).
Community reactions
The vulnerability has received attention from major Linux distributions, with Ubuntu marking it as low priority due to it being only a memory consumption issue when connecting to untrusted IMAP servers. The JRuby project has responded by updating their net-imap dependency to version 0.2.5 to incorporate the security fixes (Ubuntu).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management