CVE-2025-61594

Description

### Impact In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. The vulnerability affects the `uri` gem bundled with the following Ruby series: * 0.12.4 and earlier (bundled in Ruby 3.2 series) * 0.13.2 and earlier (bundled in Ruby 3.3 series) * 1.0.3 and earlier (bundled in Ruby 3.4 series) ### Patches Upgrade to 0.12.5, 0.13.3 or 1.0.4 ### References * https://www.ruby-lang.org/en/news/2025/02/26/security-advisories/ * https://hackerone.com/reports/2957667

Affected packages (6)

• Alpine/rubyfrom 0, < 3.3.10-r0
• Debian/ruby2.7from 0
• Debian/ruby3.1from 0
• Debian/ruby3.3from 0
• Debian/rubygemsfrom 0
• RubyGems/urifrom 0, < 0.12.5

CVSS scores

References (13)

• ADVISORYhttps://github.com/advisories/GHSA-22h5-pq3x-2gf2
• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-61594
• ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2025-61594
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-61594
• PATCHhttps://github.com/ruby/uri
• WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml
• WEBhttps://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902
• WEBhttps://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c
• WEBhttps://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a
• WEBhttps://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r
• WEBhttps://hackerone.com/reports/2957667
• WEBhttps://www.ruby-lang.org/en/news/2025/02/26/security-advisories
• WEBhttps://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594