uri 1.0.3
CVE-2025-61594 - URI Credential Leakage Bypass over CVE-2025-27221
high severity CVE-2025-61594~> 0.12.5, ~> 0.13.3, >= 1.0.4
In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials.
This vulnerability has been assigned the CVE identifier CVE-2025-61594. We recommend upgrading the uri gem.
Details
When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.
Please update URI gem to version 0.12.5, 0.13.3, 1.0.4 or later.
Affected versions
uri gem versions < 0.12.5, 0.13.0 to 0.13.2 and 1.0.0 to 1.0.3.
Credits
Thanks to junfuchong (chongfujun) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.