← Zuruck zu CVEs

CVE-2025-61594

HIGH

7.5

Beschreibung

URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.

CVE Details

CVSS v3.1 Bewertung7.5

SchweregradHIGH

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht12/30/2025

Zuletzt geandert4/16/2026

Quellenvd

Honeypot-Sichtungen0

Betroffene Produkte

ruby-lang:uri

Schwachen (CWE)

CWE-200CWE-212

Referenzen

https://github.com/advisories/GHSA-22h5-pq3x-2gf2(security-advisories@github.com)

https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r(security-advisories@github.com)

https://hackerone.com/reports/2957667(security-advisories@github.com)

https://www.ruby-lang.org/en/news/2025/02/26/security-advisories(security-advisories@github.com)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.