CVE-2025-61594

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-61594
URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/advisories/GHSA-22h5-pq3x-2gf2
https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r
https://hackerone.com/reports/2957667
https://www.ruby-lang.org/en/news/2025/02/26/security-advisories
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*
cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*
cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*
History

16 Apr 2026, 18:16

Type Values Removed Values Added
References
  • {'url': 'https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902', 'tags': ['Patch'], 'source': 'security-advisories@github.com'}
  • {'url': 'https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c', 'tags': ['Patch'], 'source': 'security-advisories@github.com'}
  • {'url': 'https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a', 'tags': ['Patch'], 'source': 'security-advisories@github.com'}
  • {'url': 'https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml', 'tags': ['Vendor Advisory'], 'source': 'security-advisories@github.com'}
  • {'url': 'https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/', 'tags': ['Vendor Advisory'], 'source': 'security-advisories@github.com'}
  • () https://github.com/advisories/GHSA-22h5-pq3x-2gf2 -
  • () https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r -
  • () https://hackerone.com/reports/2957667 -
  • () https://www.ruby-lang.org/en/news/2025/02/26/security-advisories -
CWE CWE-200
Summary
  • (es) URI es un módulo que proporciona clases para manejar Identificadores Uniformes de Recursos. En versiones anteriores a 0.12.5, 0.13.3 y 1.0.4, existe un bypass para la corrección de CVE-2025-27221 que puede exponer credenciales de usuario. Al usar el operador '+' para combinar URIs, información sensible como contraseñas del URI original puede filtrarse, violando RFC3986 y haciendo que las aplicaciones sean vulnerables a la exposición de credenciales. Las versiones 0.12.5, 0.13.3 y 1.0.4 corrigen el problema.
Summary (en) URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue. (en) URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.

24 Feb 2026, 14:57

Type Values Removed Values Added
References () https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902 - () https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902 - Patch
References () https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c - () https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c - Patch
References () https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a - () https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a - Patch
References () https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml - () https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml - Vendor Advisory
References () https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/ - () https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/ - Vendor Advisory
First Time Ruby-lang uri
Ruby-lang
CPE cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5

30 Dec 2025, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-12-30 21:15

Updated : 2026-04-16 18:16

NVD link : CVE-2025-61594

Mitre link : CVE-2025-61594

CVE.ORG link : CVE-2025-61594

JSON object : View

Products Affected

ruby-lang

  • uri
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer