← Volver a CVEs

CVE-2025-61594

HIGH

7.5

Descripcion

URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.

Detalles CVE

Puntuacion CVSS v3.17.5

SeveridadHIGH

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado12/30/2025

Ultima modificacion4/16/2026

Fuentenvd

Avistamientos honeypot0

Productos afectados

ruby-lang:uri

Debilidades (CWE)

CWE-200CWE-212

Referencias

https://github.com/advisories/GHSA-22h5-pq3x-2gf2(security-advisories@github.com)

https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r(security-advisories@github.com)

https://hackerone.com/reports/2957667(security-advisories@github.com)

https://www.ruby-lang.org/en/news/2025/02/26/security-advisories(security-advisories@github.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.