CVE-2025-61594

HIGH

URI < 0.12.5, 0.13.0-0.13.2, 1.0.0-1.0.3 - Exposure of Sensitive Information via URI Combination Operator

Title source: llm
STIX 2.1

Description

URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.

References (9)

Core 9
Core References
X_Refsource_Misc x_refsource_misc
https://hackerone.com/reports/2957667
X_Refsource_Misc x_refsource_misc
https://github.com/advisories/GHSA-22h5-pq3x-2gf2

Scores

CVSS v3 7.5
EPSS 0.0051
EPSS Percentile 39.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-200 CWE-212
Status published
Products (7)
ruby/uri < 0.12.5
ruby/uri >= 0.13.0, < 0.13.3
ruby/uri >= 1.0.0, < 1.0.4
ruby-lang/uri < 0.12.5
rubygems/uri 0 - 0.12.5RubyGems
rubygems/uri 0.13.0 - 0.13.3RubyGems
rubygems/uri 1.0.0 - 1.0.4RubyGems
Published Dec 30, 2025
Tracked Since Feb 18, 2026