CVE-2025-61594

EPSS 0.01%
Veröffentlicht 30.12.2025 21:15:43
Zuletzt bearbeitet 16.04.2026 18:16:44
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

URI Credential Leakage Bypass over CVE-2025-27221

URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ruby-lang ≫ Uri SwPlatformruby Version < 0.12.5

Ruby-lang ≫ Uri SwPlatformruby Version >= 0.13.0 < 0.13.3

Ruby-lang ≫ Uri SwPlatformruby Version >= 1.0.0 < 1.0.4

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.01

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	2.1	0	0	CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

https://hackerone.com/reports/2957667

https://github.com/advisories/GHSA-22h5-pq3x-2gf2

https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r

https://www.ruby-lang.org/en/news/2025/02/26/security-advisories

https://nvd.nist.gov/vuln/detail/CVE-2025-61594

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-61594

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-61594

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-61594