nobu

3 exploits Active since Mar 2025
CVE-2025-27220 WRITEUP MEDIUM WRITEUP
CGI <0.4.2 - ReDoS
In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.
CVSS 4.0
CVE-2025-27221 WRITEUP LOW WRITEUP
URI gem <1.0.3 - Info Disclosure
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
CVSS 3.2
CVE-2025-61594 WRITEUP HIGH WRITEUP
URI <1.0.4 - Auth Bypass
URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.
CVSS 7.5