logo

Database

Insecure digital certificates In org.jruby:jruby

Description

JRuby-OpenSSL has hostname verification disabled by default

Summary

When verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present any valid cert for a completely different domain they own, and JRuby wouldn't complain.

Details

n/a

PoC

An example domain bad.substitutealert.com was created to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with certificate verify failed (hostname mismatch), but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3

require "net/http"
require "openssl"

uri   = URI("https://bad.substitutealert.com/")
https = Net::HTTP.new(uri.host, uri.port)
https.use_ssl      = true
https.verify_mode  = OpenSSL::SSL::VERIFY_PEER
...

Impact

Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-465512. NVD-2025-465513. OSV-2025-465514. GHSA-72qj-48g4-5xgx5. GCVE-2025-46551

References

1. https://github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx2. https://github.com/jruby/jruby-openssl/commit/31a56d690ce9b8af47af09aaaf809081949ed2853. https://github.com/jruby/jruby-openssl/commit/b1fc5d645c0d90891b8865925ac1c15e3f15a0554. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jruby-openssl/CVE-2025-46551.yml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.