- Description
- URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- uri
CVSS 4.0
- Type
- Secondary
- Base score
- 2.7
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- LOW
CVSS 3.1
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-212
- Hype score
- Not currently trending
๐จ Critical patch for #Fedora42 users! CVE-2025-61594: URI credential leakage bypass CVE-2025-58767: REXML Denial-of-Service Read more: ๐ https://t.co/cyAopv8bZ3 #Security https://t.co/bH52xUKrK4
@Cezar_H_Linux
12 Nov 2025
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Ruby 3.4.7 ๋ฆด๋ฆฌ์ค ๋ฐํ Ruby 3.4.7์ด CVE-2025-61594 ์ทจ์ฝ์ ํด๊ฒฐ์ ์ํ uri gem ์ ๋ฐ์ดํธ ๋ฐ ๊ธฐํ ๋ฒ๊ทธ ์์ ๊ณผ ํจ๊ป ๊ณต์ ๋ฆด๋ฆฌ์ค๋์์ต๋๋ค. https://t.co/j2lPvr19zl
@rubynewskr
7 Oct 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Ruby 3.4.7 Released https://t.co/LMrbysAVfp This release contains a uri gem update for CVE-2025-61594, along with other bug fixes. We recommend updating your uri gem version. This release has been made for the convenience of those who wish to continue using it as a default gem.
@k0kubun
7 Oct 2025
8315 Impressions
18 Retweets
76 Likes
8 Bookmarks
0 Replies
0 Quotes
Ruby: CVE-2025-61594: URI Credential Leakage Bypass previous fixes https://t.co/fTnarZbcnp #rubylang # #devtalk
@dev_talk
7 Oct 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "488EF0F7-7510-451A-9EFC-85673ADC364D",
"versionEndExcluding": "0.12.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "336CB58A-5975-4516-86A6-FAC69551C4A3",
"versionEndExcluding": "0.13.3",
"versionStartIncluding": "0.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "7930C9E3-5EEA-40F9-8299-25B6C681BAD6",
"versionEndExcluding": "1.0.4",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]