HIGH 7.5 RubyGems
URI Credential Leakage Bypass over CVE-2025-27221
GHSA-j4pr-3wm6-xx2r · CVE-2025-61594
Published · Modified
Description
Impact
In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials.
When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.
The vulnerability affects the uri gem bundled with the following Ruby series:
- 0.12.4 and earlier (bundled in Ruby 3.2 series)
- 0.13.2 and earlier (bundled in Ruby 3.3 series)
- 1.0.3 and earlier (bundled in Ruby 3.4 series)
Patches
Upgrade to 0.12.5, 0.13.3 or 1.0.4
References
References
- WEB https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-61594
- WEB https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902
- WEB https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c
- WEB https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a
- WEB https://hackerone.com/reports/2957667
- ADVISORY https://github.com/advisories/GHSA-22h5-pq3x-2gf2
- PACKAGE https://github.com/ruby/uri
- WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml
- WEB https://www.ruby-lang.org/en/news/2025/02/26/security-advisories
- WEB https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594
Ready to move
Start Securing
Free, no credit card | First findings in minutes