uri 0.12.1
ReDoS vulnerability in URI
medium severity CVE-2023-36617~> 0.10.0.3
, ~> 0.10.3
, ~> 0.11.2
, >= 0.12.2
We have released the uri gem version 0.12.2, 0.10.3 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-36617.
Details
A ReDoS issue was discovered in the URI component through 0.12.1 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb.
NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755.
The uri gem version 0.12.1 and all versions prior 0.12.1 are vulnerable for this vulnerability.
Recommended action
We recommend to update the uri gem to 0.12.2. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:
-
For Ruby 3.0: Update to uri 0.10.3
-
For Ruby 3.1 and 3.2: Update to uri 0.12.2 You can use gem update uri to update it. If you are using bundler, please add gem "uri", ">= 0.12.2" (or other version mentioned above) to your Gemfile.
-
Affected versions: uri gem 0.12.1 or before
CVE-2025-27221 - userinfo leakage in URI#join, URI#merge and URI#+.
low severity CVE-2025-27221~> 0.11.3
, ~> 0.12.4
, ~> 0.13.2
, >= 1.0.3
There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem.
Details
The methods URI#join, URI#merge, and URI#+ retained userinfo, such as user:password, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur.
Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later.
Affected versions
uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2.
Credits
Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.