CVE-2025-27221 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.2 LOW	LOCAL	HIGH	NONE	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 36%

Affected Products (NVD)

Vendor	Product	Version
ruby-lang	uri	𝑥 < 0.11.3
ruby-lang	uri	0.12.0 ≤ 𝑥 < 0.12.4
ruby-lang	uri	0.13.0 ≤ 𝑥 < 0.13.2
ruby-lang	uri	1.0.0 ≤ 𝑥 < 1.0.3

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

ruby2.3

focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
resolute	dne
xenial	Fixed 2.3.1-2~ubuntu16.04.16+esm10 released

ruby2.5

bionic	Fixed 2.5.1-1ubuntu1.16+esm4 released
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
resolute	dne

ruby2.7

focal	Fixed 2.7.0-5ubuntu1.18 released
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
resolute	dne

ruby3.0

focal	dne
jammy	Fixed 3.0.2-7ubuntu2.10 released
noble	dne
oracular	dne
plucky	dne
questing	dne
resolute	dne

ruby3.2

focal	dne
jammy	dne
noble	Fixed 3.2.3-1ubuntu0.24.04.5 released
oracular	dne
plucky	dne
questing	dne
resolute	dne

ruby3.3

focal	dne
jammy	dne
noble	dne
oracular	Fixed 3.3.4-2ubuntu5.2 released
plucky	Fixed 3.3.7-1ubuntu2 released
questing	Fixed 3.3.7-1ubuntu2 released
resolute	Fixed 3.3.7-1ubuntu2 released

jruby

bionic	needs-triage
focal	needs-triage
jammy	dne
noble	needs-triage
oracular	ignored
plucky	ignored
questing	needs-triage
resolute	needs-triage
trusty	needs-triage
xenial	ignored

openSUSE / SLES Releases

openSUSE Product

Release

libruby2_5-2_5

suse enterprise desktop 15 SP6	2.5.9-150000.4.46.1 fixed
suse enterprise desktop 15 SP7	2.5.9-150700.24.3.1 fixed
suse enterprise sap 15 SP3	2.5.9-150000.4.46.1 fixed
suse enterprise sap 15 SP4	2.5.9-150000.4.46.1 fixed
suse enterprise sap 15 SP5	2.5.9-150000.4.46.1 fixed
suse enterprise sap 15 SP6	2.5.9-150000.4.46.1 fixed
suse enterprise sap 15 SP7	2.5.9-150700.24.3.1 fixed
suse enterprise server 15 SP2	2.5.9-150000.4.46.1 fixed
suse enterprise server 15 SP3	2.5.9-150000.4.46.1 fixed
suse enterprise server 15 SP4	2.5.9-150000.4.46.1 fixed
suse enterprise server 15 SP5	2.5.9-150000.4.46.1 fixed
suse enterprise server 15 SP6	2.5.9-150000.4.46.1 fixed
suse enterprise server 15 SP7	2.5.9-150700.24.3.1 fixed

Common Weakness Enumeration

CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

References

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml

https://hackerone.com/reports/2957667

https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html

https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html