CVE-2025-61594

Low CVSS: 2.7

URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.

Vendor

Ruby-lang

Product

Uri

CWE

CWE-212

Yayın Tarihi

2025-12-30 21:15:43

Güncelleme

2026-02-24 14:57:18

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-212 Uri LOW Ruby-lang 2025

Referanslar

https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902 https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/

Benzer Kayıtlar

High

CVE-2026-33210

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a fo…

Low

CVE-2025-58767

REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing…

Medium

CVE-2025-6442

Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arb…

Medium

CVE-2025-43857

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.5.7, 0.4.…

High

CVE-2025-27788

JSON is a JSON implementation for Ruby. Starting in version 2.10.0 and prior to version 2.10.2, a specially crafted docu…

Medium

CVE-2025-27219

In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Ser…