CVE-2025-27221

Low CVSS: 3.2

In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.

Vendor

Ruby-lang

Product

Uri

CWE

CWE-212

Yayın Tarihi

2025-03-04 00:15:31

Güncelleme

2025-11-03 22:18:43

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-212 Uri LOW Ruby-lang 2025

Referanslar

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml https://hackerone.com/reports/2957667 https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html

Benzer Kayıtlar

High

CVE-2026-33210

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a fo…

Low

CVE-2025-61594

URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4…

Low

CVE-2025-58767

REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing…

Medium

CVE-2025-6442

Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arb…

Medium

CVE-2025-43857

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.5.7, 0.4.…

High

CVE-2025-27788

JSON is a JSON implementation for Ruby. Starting in version 2.10.0 and prior to version 2.10.2, a specially crafted docu…