CVE-2025-61594

HIGH

URI <1.0.4 - Auth Bypass

Title source: llm

Description

URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.

References (5)

[Various Sources] https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml

View Writeup ZIP pw:eip

[Various Sources] https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/

[Patch] https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902

View Patch ZIP pw:eip

[Patch] https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c

[Patch] https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a

Scores

CVSS v3 7.5

EPSS 0.0001

EPSS Percentile 2.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-212

Status published

Affected Products (2)

rubygems/uri < 0.12.5RubyGems

ruby-lang/uri < 0.12.5

Timeline

Published Dec 30, 2025

Tracked Since Feb 18, 2026