CVE-2025-61594

EUVD-2025-205858
URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
Affected Products (NVD)
VendorProductVersion
ruby-languri
𝑥
< 0.12.5
ruby-languri
0.13.0 ≤
𝑥
< 0.13.3
ruby-languri
1.0.0 ≤
𝑥
< 1.0.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby2.7
bullseye
postponed
bullseye (security)
vulnerable
ruby3.1
bookworm
no-dsa
bookworm (security)
vulnerable
ruby3.3
forky
vulnerable
sid
vulnerable
trixie
no-dsa
rubygems
bookworm
no-dsa
bullseye
postponed
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
no-dsa
Azure Linux logo
Azure Linux Releases
Azure Package
Release
ruby
Azure Linux 3.0
0:3.3.5-7.azl3
fixed
CBL-Mariner 2.0
0:3.1.7-4.cm2
fixed