CVE-2025-27221 – uri

Package

Manager: gem
Name: uri
Vulnerable Version: >=0 <0.11.3 || >=0.12.0 <0.12.4 || >=0.13.0 <0.13.2 || >=1.0.0 <1.0.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

EPSS: 0.00017 pctl0.02823

Details

URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+ There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem. ## Details The methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur. Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later. ## Affected versions uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2. ## Credits Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability.

Metadata

Created: 2025-03-03T22:07:53Z
Modified: 2025-03-04T15:47:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-22h5-pq3x-2gf2/GHSA-22h5-pq3x-2gf2.json
CWE IDs: ["CWE-200", "CWE-212"]
Alternative ID: GHSA-22h5-pq3x-2gf2
Finding: F038
Auto approve: 1