Ruby

The bundled net-imap versions are vulnerable to CVE-2025-43857 (GHSA-j3g3-5qv5-52mj). This vulnerability does not affect securely connecting to trusted IMAP servers that are well-behaved. It can affect insecure connections and buggy, untrusted, or compromised servers (for example, connecting to a user supplied hostname).

Fixing the issue requires upgrading to v0.2.5, v0.3.9, v0.4.20, or v0.5.7.

• ruby 3.2.8 bundles net-imap v0.3.8
  PR: Bump net-imap to 0.3.9 for Ruby 3.2
  https://github.com/ruby/ruby/pull/13213
• ruby 3.3.8 bundles net-imap v0.4.19
  PR: Bump net-imap to 0.4.21 for Ruby 3.3
  https://github.com/ruby/ruby/pull/13214
• ruby 3.4.3 bundles net-imap v0.5.6
  PR: Bump net-imap to v0.5.8 for Ruby 3.4
  https://github.com/ruby/ruby/pull/13215

I didn't have a release ready in time to be bundled with the final version of ruby 3.1, so I haven't created a PR for v0.2.5.
v0.4.21 and v0.5.8 are primarily bug fixes, so my PRs for ruby 3.3 and 3.4 upgrade to those versions.

The workaround is to uninstall the vulnerable bundled versions and gem install net-imap.

Security Advisory Links:

• https://www.cve.org/CVERecord?id=CVE-2025-43857
• https://github.com/ruby/net-imap/security/advisories/GHSA-j3g3-5qv5-52mj