CVE-2025-61594 (GCVE-0-2025-61594)

Vulnerability from cvelistv5 – Published: 2025-12-30 21:03 – Updated: 2026-04-16 17:02
VLAI?
Title
URI Credential Leakage Bypass over CVE-2025-27221
Summary
URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.
Severity ?
2.1 (Low)
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer
Assigner
References
Impacted products
Vendor Product Version
ruby uri Affected: < 0.12.5
Affected: >= 0.13.0, < 0.13.3
Affected: >= 1.0.0, < 1.0.4
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-61594",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-30T21:29:32.513492Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-30T21:29:39.048Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "uri",
          "vendor": "ruby",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.12.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.13.0, \u003c 0.13.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.0.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 2.1,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-212",
              "description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-16T17:02:32.149Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r"
        },
        {
          "name": "https://hackerone.com/reports/2957667",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/2957667"
        },
        {
          "name": "https://github.com/advisories/GHSA-22h5-pq3x-2gf2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/advisories/GHSA-22h5-pq3x-2gf2"
        },
        {
          "name": "https://www.ruby-lang.org/en/news/2025/02/26/security-advisories",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.ruby-lang.org/en/news/2025/02/26/security-advisories"
        }
      ],
      "source": {
        "advisory": "GHSA-j4pr-3wm6-xx2r",
        "discovery": "UNKNOWN"
      },
      "title": "URI Credential Leakage Bypass over CVE-2025-27221"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-61594",
    "datePublished": "2025-12-30T21:03:08.990Z",
    "dateReserved": "2025-09-26T16:25:25.150Z",
    "dateUpdated": "2026-04-16T17:02:32.149Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-61594",
      "date": "2026-04-18",
      "epss": "9e-05",
      "percentile": "0.0084"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-61594\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-30T21:15:43.893\",\"lastModified\":\"2026-04-16T18:16:44.400\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.\"},{\"lang\":\"es\",\"value\":\"URI es un m\u00f3dulo que proporciona clases para manejar Identificadores Uniformes de Recursos. En versiones anteriores a 0.12.5, 0.13.3 y 1.0.4, existe un bypass para la correcci\u00f3n de CVE-2025-27221 que puede exponer credenciales de usuario. Al usar el operador \u0027+\u0027 para combinar URIs, informaci\u00f3n sensible como contrase\u00f1as del URI original puede filtrarse, violando RFC3986 y haciendo que las aplicaciones sean vulnerables a la exposici\u00f3n de credenciales. Las versiones 0.12.5, 0.13.3 y 1.0.4 corrigen el problema.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-212\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*\",\"versionEndExcluding\":\"0.12.5\",\"matchCriteriaId\":\"488EF0F7-7510-451A-9EFC-85673ADC364D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"0.13.0\",\"versionEndExcluding\":\"0.13.3\",\"matchCriteriaId\":\"336CB58A-5975-4516-86A6-FAC69551C4A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"1.0.0\",\"versionEndExcluding\":\"1.0.4\",\"matchCriteriaId\":\"7930C9E3-5EEA-40F9-8299-25B6C681BAD6\"}]}]}],\"references\":[{\"url\":\"https://github.com/advisories/GHSA-22h5-pq3x-2gf2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://hackerone.com/reports/2957667\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://www.ruby-lang.org/en/news/2025/02/26/security-advisories\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-61594\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-30T21:29:32.513492Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-30T21:29:36.147Z\"}}], \"cna\": {\"title\": \"URI Credential Leakage Bypass over CVE-2025-27221\", \"source\": {\"advisory\": \"GHSA-j4pr-3wm6-xx2r\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 2.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"ruby\", \"product\": \"uri\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.12.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.13.0, \u003c 0.13.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.0.0, \u003c 1.0.4\"}]}], \"references\": [{\"url\": \"https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r\", \"name\": \"https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://hackerone.com/reports/2957667\", \"name\": \"https://hackerone.com/reports/2957667\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/advisories/GHSA-22h5-pq3x-2gf2\", \"name\": \"https://github.com/advisories/GHSA-22h5-pq3x-2gf2\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.ruby-lang.org/en/news/2025/02/26/security-advisories\", \"name\": \"https://www.ruby-lang.org/en/news/2025/02/26/security-advisories\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-212\", \"description\": \"CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-16T17:02:32.149Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-61594\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-16T17:02:32.149Z\", \"dateReserved\": \"2025-09-26T16:25:25.150Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-12-30T21:03:08.990Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.