CVE-2026-42257 (MEDIUM): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-42257	MEDIUM	net-imap	0.5.8	0.6.4, 0.5.14, 0.4.24	2026-05-09T20:16:28.463Z	2026-05-10T10:19:03.658919039Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/ruby:latest	public.ecr.aws/lambda/ruby@sha256:1541cfd2be4f73d13faf7f81c559d68a3d5c9e9bb4286a7da4a209961002699c
public.ecr.aws/lambda/ruby:4.0	public.ecr.aws/lambda/ruby@sha256:b92694baff57c96c12ad78429f62efd197d0682b51e9fee81b8332a970915266
public.ecr.aws/lambda/ruby:3.4	public.ecr.aws/lambda/ruby@sha256:1541cfd2be4f73d13faf7f81c559d68a3d5c9e9bb4286a7da4a209961002699c
public.ecr.aws/lambda/ruby:3.3	public.ecr.aws/lambda/ruby@sha256:71fcf68f4ec0a40961bac4fa741a2116379010d1a1fdfc0f65a79521bb032ee6

---

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

---

Remediation Steps

• Update the affected package net-imap from version 0.5.8 to 0.6.4, 0.5.14, 0.4.24.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.