FKIE_CVE-2025-61594

Vulnerability from fkie_nvd - Published: 2025-12-30 21:15 - Updated: 2026-04-16 18:16
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.
References
security-advisories@github.comhttps://github.com/advisories/GHSA-22h5-pq3x-2gf2
security-advisories@github.comhttps://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r
security-advisories@github.comhttps://hackerone.com/reports/2957667
security-advisories@github.comhttps://www.ruby-lang.org/en/news/2025/02/26/security-advisories
Impacted products
Vendor Product Version
ruby-lang uri *
ruby-lang uri *
ruby-lang uri *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "488EF0F7-7510-451A-9EFC-85673ADC364D",
              "versionEndExcluding": "0.12.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "336CB58A-5975-4516-86A6-FAC69551C4A3",
              "versionEndExcluding": "0.13.3",
              "versionStartIncluding": "0.13.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "7930C9E3-5EEA-40F9-8299-25B6C681BAD6",
              "versionEndExcluding": "1.0.4",
              "versionStartIncluding": "1.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4."
    },
    {
      "lang": "es",
      "value": "URI es un m\u00f3dulo que proporciona clases para manejar Identificadores Uniformes de Recursos. En versiones anteriores a 0.12.5, 0.13.3 y 1.0.4, existe un bypass para la correcci\u00f3n de CVE-2025-27221 que puede exponer credenciales de usuario. Al usar el operador \u0027+\u0027 para combinar URIs, informaci\u00f3n sensible como contrase\u00f1as del URI original puede filtrarse, violando RFC3986 y haciendo que las aplicaciones sean vulnerables a la exposici\u00f3n de credenciales. Las versiones 0.12.5, 0.13.3 y 1.0.4 corrigen el problema."
    }
  ],
  "id": "CVE-2025-61594",
  "lastModified": "2026-04-16T18:16:44.400",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 2.1,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-30T21:15:43.893",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/advisories/GHSA-22h5-pq3x-2gf2"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://hackerone.com/reports/2957667"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://www.ruby-lang.org/en/news/2025/02/26/security-advisories"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        },
        {
          "lang": "en",
          "value": "CWE-212"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.