GHSA-j4pr-3wm6-xx2r
URI Credential Leakage Bypass over CVE-2025-27221
Details
### Impact
In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials.
When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.
The vulnerability affects the `uri` gem bundled with the following Ruby series:
* 0.12.4 and earlier (bundled in Ruby 3.2 series) * 0.13.2 and earlier (bundled in Ruby 3.3 series) * 1.0.3 and earlier (bundled in Ruby 3.4 series)
### Patches
Upgrade to 0.12.5, 0.13.3 or 1.0.4
### References
* https://www.ruby-lang.org/en/news/2025/02/26/security-advisories/ * https://hackerone.com/reports/2957667
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-61594 [ADVISORY]
- https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902 [WEB]
- https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c [WEB]
- https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a [WEB]
- https://hackerone.com/reports/2957667 [WEB]
- https://github.com/advisories/GHSA-22h5-pq3x-2gf2 [ADVISORY]
- https://github.com/ruby/uri [PACKAGE]
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml [WEB]
- https://www.ruby-lang.org/en/news/2025/02/26/security-advisories [WEB]
- https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594 [WEB]