CVE-2025-46551
EPSS 0.10%JRuby-OpenSSL has hostname verification disabled by default
Description
### Summary When verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present _any_ valid cert for a completely different domain they own, and JRuby wouldn't complain. ### Details n/a ### PoC An example domain bad.substitutealert.com was created to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with `certificate verify failed (hostname mismatch)`, but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3 ```ruby require "net/http" require "openssl" uri = URI("https://bad.substitutealert.com/") https = Net::HTTP.new(uri.host, uri.port) https.use_ssl = true https.verify_mode = OpenSSL::SSL::VERIFY_PEER body = https.start { https.get(uri.request_uri).body } puts body ``` ### Impact Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely
Affected packages (3)
- Maven/org.jruby:jruby>= 10.0.0.0, < 10.0.0.1
- Maven/rubygems:jruby-openssl>= 0.12.1, < 0.15.4
- RubyGems/jruby-openssl>= 0.12.1, < 0.15.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-46551
- PATCHhttps://github.com/jruby/jruby-openssl
- WEBhttps://github.com/jruby/jruby-openssl/commit/31a56d690ce9b8af47af09aaaf809081949ed285
- WEBhttps://github.com/jruby/jruby-openssl/commit/b1fc5d645c0d90891b8865925ac1c15e3f15a055
- WEBhttps://github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/jruby-openssl/CVE-2025-46551.yml