CVE-2025-25186 | Net::IMAP vulnerable to possible DoS by memory exhaustion

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time while the client is connected, a malicious server can send can send highly compressed `uid-set` data which is automatically read by the client's receiver thread. The response parser uses `Range#to_a` to convert the `uid-set` data into arrays of integers, with no limitation on the expanded size of the ranges. Versions 0.3.8, 0.4.19, 0.5.6, and higher fix this issue. Additional details for proper configuration of fixed versions and backward compatibility are available in the GitHub Security Advisory.

Published: 2025-02-10 Last update: 2026-04-15 Assigner: [email protected] Source: [email protected]

NVD Status：Deferred，CVE State: published

View at NVD, CVE.org, EUVD

Threat Intelligence & Risk Assessment for CVE-2025-25186

EPSS CVSS CWE GHSA OS Tracker

Conclusion & alert: CVE-2025-25186 is rated Low Risk (37.5/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.14%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-25186

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-03-21	0.24%	0.14%	-0.10%
2	2025-11-27	0.31%	0.24%	-0.07%
3	2025-11-21	—	0.31%	—

Full EPSS history (13 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-25186

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.5	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.8	3.6	[email protected]

Weakness enumeration for CVE-2025-25186

CWE-1287 MITRE ↗ CWE-400 MITRE ↗ CWE-405 MITRE ↗ CWE-409 MITRE ↗ CWE-770 MITRE ↗ CWE-789 MITRE ↗

GitHub Security Advisory for CVE-2025-25186

GHSA-7fc5-f82f-cx69 · Severity: medium · Ecosystem: rubygems — Possible DoS by memory exhaustion in net-imap

OS Trackers for CVE-2025-25186

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2025-25186 not yet assigned priority: Debian including 2 source packages (ruby3.1, ruby3.3), 4 status rows across 4 suites (bookworm, forky, sid, trixie): resolved 3, open 1.	https://security-tracker.debian.org/tracker/CVE-2025-25186
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2025-25186
`suse`	medium	CVE-2025-25186 severity moderate: SUSE including 71 source package names (libruby2_1-2_1, libruby2_5-2_5, …), 249 product×package rows across 34 product lines (SLES-LTSS-TERADATA 15 SP2, SUSE Liberty Linux 8, … (34 product lines)): Known Not Affected 191, Fixed 58.	https://www.suse.com/security/cve/CVE-2025-25186/
`ubuntu`	low	CVE-2025-25186 low priority: Ubuntu including 6 source packages (ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2, ruby3.3), 32 status rows across 7 suites (bionic, focal, jammy, noble, oracular, upstream, xenial): DNE 20, needs-triage 6, not-affected 4, released 2.	https://ubuntu.com/security/CVE-2025-25186

Affected software / configurations for CVE-2025-25186

Vendor	Product	Version	Raw CPE
No affected products in dataset.

References for CVE-2025-25186

URL	Tags
https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35
https://github.com/ruby/net-imap/commit/c8c5a643739d2669f0c9a6bb9770d0c045fd74a3
https://github.com/ruby/net-imap/commit/cb92191b1ddce2d978d01b56a0883b6ecf0b1022
https://github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69

cvelogic Threat Intelligence