AI description
CVE-2025-61594 refers to a URI credential leakage vulnerability that bypasses previous fixes. A security advisory regarding this vulnerability has been published. Additionally, CVE-2025-1594 describes a critical vulnerability in FFmpeg up to version 7.1. It affects the `ff_aac_search_for_tns` function in `libavcodec/aacenc_tns.c` of the AAC Encoder component. Exploitation of this vulnerability can lead to a stack-based buffer overflow, which can be initiated remotely.
- Description
- URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.
- Source
- security-advisories@github.com
- NVD status
- Modified
- Products
- uri
CVSS 4.0
- Type
- Secondary
- Base score
- 2.1
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- LOW
CVSS 3.1
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-200
- Hype score
- Not currently trending
๐จ Critical patch for #Fedora42 users! CVE-2025-61594: URI credential leakage bypass CVE-2025-58767: REXML Denial-of-Service Read more: ๐ https://t.co/cyAopv8bZ3 #Security https://t.co/bH52xUKrK4
@Cezar_H_Linux
12 Nov 2025
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Ruby 3.4.7 ๋ฆด๋ฆฌ์ค ๋ฐํ Ruby 3.4.7์ด CVE-2025-61594 ์ทจ์ฝ์ ํด๊ฒฐ์ ์ํ uri gem ์ ๋ฐ์ดํธ ๋ฐ ๊ธฐํ ๋ฒ๊ทธ ์์ ๊ณผ ํจ๊ป ๊ณต์ ๋ฆด๋ฆฌ์ค๋์์ต๋๋ค. https://t.co/j2lPvr19zl
@rubynewskr
7 Oct 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Ruby 3.4.7 Released https://t.co/LMrbysAVfp This release contains a uri gem update for CVE-2025-61594, along with other bug fixes. We recommend updating your uri gem version. This release has been made for the convenience of those who wish to continue using it as a default gem.
@k0kubun
7 Oct 2025
8315 Impressions
18 Retweets
76 Likes
8 Bookmarks
0 Replies
0 Quotes
Ruby: CVE-2025-61594: URI Credential Leakage Bypass previous fixes https://t.co/fTnarZbcnp #rubylang # #devtalk
@dev_talk
7 Oct 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "488EF0F7-7510-451A-9EFC-85673ADC364D",
"versionEndExcluding": "0.12.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "336CB58A-5975-4516-86A6-FAC69551C4A3",
"versionEndExcluding": "0.13.3",
"versionStartIncluding": "0.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "7930C9E3-5EEA-40F9-8299-25B6C681BAD6",
"versionEndExcluding": "1.0.4",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]