← Retour aux CVEs

CVE-2025-61594

HIGH

7.5

Description

URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.

Details CVE

Score CVSS v3.17.5

SeveriteHIGH

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie12/30/2025

Derniere modification4/16/2026

Sourcenvd

Observations honeypot0

Produits affectes

ruby-lang:uri

Faiblesses (CWE)

CWE-200CWE-212

References

https://github.com/advisories/GHSA-22h5-pq3x-2gf2(security-advisories@github.com)

https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r(security-advisories@github.com)

https://hackerone.com/reports/2957667(security-advisories@github.com)

https://www.ruby-lang.org/en/news/2025/02/26/security-advisories(security-advisories@github.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.