GHSA-j4pr-3wm6-xx2r

Опубликовано: 30 дек. 2025

Источник: github

Github: Прошло ревью

CVSS4: 2.7

Описание

URI Credential Leakage Bypass over CVE-2025-27221

Impact

In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials.

When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.

The vulnerability affects the uri gem bundled with the following Ruby series:

0.12.4 and earlier (bundled in Ruby 3.2 series)
0.13.2 and earlier (bundled in Ruby 3.3 series)
1.0.3 and earlier (bundled in Ruby 3.4 series)

Patches

Upgrade to 0.12.5, 0.13.3 or 1.0.4

References

Ссылки

Пакеты

Наименование

uri

rubygems

Затронутые версииВерсия исправления

< 0.12.5

0.12.5

Наименование

uri

rubygems

Затронутые версииВерсия исправления

>= 0.13.0, < 0.13.3

0.13.3

Наименование

uri

rubygems

Затронутые версииВерсия исправления

>= 1.0.0, < 1.0.4

1.0.4

EPSS

Процентиль: 23%

0.00073

Низкий

2.7 Low

CVSS4

CVE ID

CVE-2025-61594

Дефекты

CWE-212

Связанные уязвимости

CVE-2025-61594

ubuntu

около 1 месяца назад

URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.