CVE-2025-61594

Опубликовано: 30 дек. 2025

Источник: ubuntu

Приоритет: low

EPSS Низкий

CVSS3: 7.5

Описание

URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.

Релиз	Статус	Примечание
devel	not-affected	code not present
esm-apps/bionic	not-affected	code not present
esm-apps/focal	not-affected	code not present
esm-apps/noble	not-affected	code not present
esm-apps/xenial	not-affected	code not present
esm-infra-legacy/trusty	not-affected	code not present
jammy	DNE
noble	not-affected	code not present
plucky	ignored	end of life, was needs-triage
questing	not-affected	code not present

Показывать по

Релиз	Статус	Примечание
devel	DNE
esm-infra/xenial	needs-triage
jammy	DNE
noble	DNE
plucky	DNE
questing	DNE
upstream	needs-triage

Показывать по

Релиз	Статус	Примечание
devel	DNE
esm-infra/bionic	needs-triage
jammy	DNE
noble	DNE
plucky	DNE
questing	DNE
upstream	needs-triage

Показывать по

Релиз	Статус	Примечание
devel	DNE
esm-infra/focal	needs-triage
jammy	DNE
noble	DNE
plucky	DNE
questing	DNE
upstream	needs-triage

Показывать по

Релиз	Статус	Примечание
devel	DNE
jammy	needs-triage
noble	DNE
plucky	DNE
questing	DNE
upstream	needs-triage

Показывать по

Релиз	Статус	Примечание
devel	DNE
jammy	DNE
noble	needs-triage
plucky	DNE
questing	DNE
upstream	needs-triage

Показывать по

Релиз	Статус	Примечание
devel	needs-triage
jammy	DNE
noble	DNE
plucky	ignored	end of life, was needs-triage
questing	needs-triage
upstream	needs-triage

Показывать по

Ссылки на источники

EPSS

Процентиль: 3%

0.00015

Низкий

7.5 High

CVSS3

Связанные уязвимости

CVE-2025-61594

CVSS3: 6.5

redhat

3 месяца назад

URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.

CVE-2025-61594

CVSS3: 7.5

nvd

3 месяца назад

URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.

CVE-2025-61594

msrc

3 месяца назад

URI Credential Leakage Bypass over CVE-2025-27221

CVE-2025-61594

CVSS3: 7.5

debian

3 месяца назад

URI is a module providing classes to handle Uniform Resource Identifie ...

GHSA-j4pr-3wm6-xx2r

github

3 месяца назад

URI Credential Leakage Bypass over CVE-2025-27221

EPSS

Процентиль: 3%

0.00015

Низкий

7.5 High

CVSS3

CVE-2025-61594

Описание

Пакет jruby

Пакет ruby2.3

Пакет ruby2.5

Пакет ruby2.7

Пакет ruby3.0

Пакет ruby3.2

Пакет ruby3.3

Ссылки на источники

Связанные уязвимости