CVE-2025-61594

URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902	Patch
https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c	Patch
https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a	Patch
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml	Vendor Advisory
https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ruby-lang:uri::::::ruby::*
	cpe:2.3:a:ruby-lang:uri::::::ruby::*
	cpe:2.3:a:ruby-lang:uri::::::ruby::*

History

No history.

Information

Published : 2025-12-30 21:15

Updated : 2026-02-24 14:57

NVD link : CVE-2025-61594

Mitre link : CVE-2025-61594

CVE.ORG link : CVE-2025-61594

JSON object : View

Products Affected

ruby-lang

uri

CWE

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

{"id": "CVE-2025-61594", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-12-30T21:15:43.893", "references": [{"url": "https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-212"}]}], "descriptions": [{"lang": "en", "value": "URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue."}, {"lang": "es", "value": "URI es un m\u00f3dulo que proporciona clases para manejar Identificadores Uniformes de Recursos. En versiones anteriores a 0.12.5, 0.13.3 y 1.0.4, existe un bypass para la correcci\u00f3n de CVE-2025-27221 que puede exponer credenciales de usuario. Al usar el operador '+' para combinar URIs, informaci\u00f3n sensible como contrase\u00f1as del URI original puede filtrarse, violando RFC3986 y haciendo que las aplicaciones sean vulnerables a la exposici\u00f3n de credenciales. Las versiones 0.12.5, 0.13.3 y 1.0.4 corrigen el problema."}], "lastModified": "2026-02-24T14:57:18.363", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "488EF0F7-7510-451A-9EFC-85673ADC364D", "versionEndExcluding": "0.12.5"}, {"criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "336CB58A-5975-4516-86A6-FAC69551C4A3", "versionEndExcluding": "0.13.3", "versionStartIncluding": "0.13.0"}, {"criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "7930C9E3-5EEA-40F9-8299-25B6C681BAD6", "versionEndExcluding": "1.0.4", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}