Fluid Attacks Database

Description

URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	uri	>=0 <0.12.5 \|\| >=0.13.0 <0.13.3 \|\| >=1.0.0 <1.0.4	0.12.5, 0.13.3, 1.0.4
alpine v3.21	ruby	=3.3.3-r1 \|\| =3.3.3-r2 \|\| =3.3.6-r0 \|\| =3.3.8-r0 \|\| >=0 <3.3.10-r0 \|\| =3.3.3-r1 \|\| =3.3.3-r2 \|\| =3.3.6-r0 \|\| =3.3.8-r0 \|\| >=0 <3.3.10-r0	3.3.10-r0, 3.3.10-r0
debian 13	rubygems	=3.6.7-2 \|\| =3.6.7-3~exp1	-
debian 12	rubygems	=3.3.15-2 \|\| =3.3.15-2+deb12u1 \|\| =3.4.20-1 \|\| =3.4.20-1~0 \|\| =3.6.3-1 \|\| =3.6.6-1 \|\| =3.6.7-1 \|\| =3.6.7-2 \|\| =3.6.7-3~exp1	-
debian 14	ruby3.3	=3.3.8-2	-
debian 11	rubygems	=3.2.27-1 \|\| =3.2.27-2 \|\| =3.2.27-3 \|\| =3.2.5-2 \|\| =3.2.5-2+deb11u1 \|\| =3.3.15-1 \|\| =3.3.15-2 \|\| =3.3.5-1 \|\| =3.3.5-2 \|\| =3.4.20-1 \|\| =3.4.20-1~0 \|\| =3.6.3-1 \|\| =3.6.6-1 \|\| =3.6.7-1 \|\| =3.6.7-2 \|\| =3.6.7-3~exp1	-
debian 14	rubygems	=3.6.7-2 \|\| =3.6.7-3~exp1	-
alpine v3.20	ruby	=3.3.3-r1 \|\| =3.3.6-r0 \|\| =3.3.8-r0 \|\| >=0 <3.3.10-r0 \|\| =3.3.3-r1 \|\| =3.3.6-r0 \|\| =3.3.8-r0 \|\| >=0 <3.3.10-r0	3.3.10-r0, 3.3.10-r0
debian 13	ruby3.3	=3.3.8-2	-
debian 12	ruby3.1	=3.1.2-7 \|\| =3.1.2-7+deb12u1 \|\| =3.1.2-7+hurd.1 \|\| =3.1.2-8 \|\| =3.1.2-8.1~exp1 \|\| =3.1.2-8.3 \|\| =3.1.2-8.4 \|\| =3.1.2-8.5	-

1-10 of 21

Aliases

1. CVE-2025-615942. NVD-2025-615943. OSV-2025-615944. OSV-ALPINE-2025-615945. OSV-DEBIAN-2025-615946. GHSA-j4pr-3wm6-xx2r7. GHSA-22h5-pq3x-2gf28. GCVE-2025-615949. SECURITY-CVE-2025-6159410. SECURITY-TRACKER-CVE-2025-61594

References

1. https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r2. https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f59023. https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c4. https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a5. https://hackerone.com/reports/29576676. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml7. https://www.ruby-lang.org/en/news/2025/02/26/security-advisories8. https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.