Cyber Resilience

CVE-2025-43857

MediumDDoS

Published: 28 April 2025

Published
28 April 2025
Modified
21 November 2025
KEV Added
Patch
CVSS Score v4 6.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 60.7th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-43857 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Ruby-Lang Net\. Its CVSS base score is 6.0 (Medium).

Operationally, ranked in the top 39.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5, there is a possibility for denial of service by memory exhaustion when net-imap reads server responses. At any time while the…

more

client is connected, a malicious server can send can send a "literal" byte count, which is automatically read by the client's receiver thread. The response reader immediately allocates memory for the number of bytes indicated by the server response. This should not be an issue when securely connecting to trusted IMAP servers that are well-behaved. It can affect insecure connections and buggy, untrusted, or compromised servers (for example, connecting to a user supplied hostname). This issue has been patched in versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ruby-lang
net\
\

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.

Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.

Alternate paths allow continued C2 operations when an attacker exploits resource-consumption weaknesses against the primary channel.

Directly limits uncontrolled resource consumption that leads to denial-of-service.

Directly mitigates uncontrolled consumption by enforcing allocation limits/quotas that preserve availability for legitimate use.

addresses: CWE-400 CWE-770

Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.

addresses: CWE-400 CWE-770

Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.

addresses: CWE-400 CWE-770

Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.

References