CVE-2025-61594

EUVD-2025-205858

30.12.2025, 21:15

URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
ruby-lang	uri	𝑥 < 0.12.5
ruby-lang	uri	0.13.0 ≤ 𝑥 < 0.13.3
ruby-lang	uri	1.0.0 ≤ 𝑥 < 1.0.4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

ruby2.7

bullseye	postponed
bullseye (security)	vulnerable

ruby3.1

bookworm	no-dsa
bookworm (security)	vulnerable

ruby3.3

forky	vulnerable
sid	vulnerable
trixie	no-dsa

rubygems

bookworm	no-dsa
bullseye	postponed
bullseye (security)	vulnerable
forky	vulnerable
sid	vulnerable
trixie	no-dsa

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://github.com/advisories/GHSA-22h5-pq3x-2gf2

https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r

https://hackerone.com/reports/2957667

https://www.ruby-lang.org/en/news/2025/02/26/security-advisories