CVE-2025-61594 - Medium Severity Vulnerability
Vulnerable Library - uri-1.0.3.gem
URI is a module providing classes to handle Uniform Resource Identifiers
Library home page: https://rubygems.org/gems/uri-1.0.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /vendor/cache/uri-1.0.3.gem
Dependency Hierarchy:
- manageiq-style-1.3.3.gem (Root Library)
- more_core_extensions-4.5.1.gem
- activesupport-8.0.2.gem
- ❌ uri-1.0.3.gem (Vulnerable Library)
Found in base branch: master
Vulnerability Details
URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.
Publish Date: 2025-12-30
URL: CVE-2025-61594
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-30
Fix Resolution: https://github.com/ruby/uri.git - v0.12.5,https://github.com/ruby/uri.git - v1.0.4,https://github.com/ruby/uri.git - v0.13.3
Step up your Open Source Security Game with Mend here
CVE-2025-61594 - Medium Severity Vulnerability
URI is a module providing classes to handle Uniform Resource Identifiers
Library home page: https://rubygems.org/gems/uri-1.0.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /vendor/cache/uri-1.0.3.gem
Dependency Hierarchy:
Found in base branch: master
URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.
Publish Date: 2025-12-30
URL: CVE-2025-61594
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2025-12-30
Fix Resolution: https://github.com/ruby/uri.git - v0.12.5,https://github.com/ruby/uri.git - v1.0.4,https://github.com/ruby/uri.git - v0.13.3
Step up your Open Source Security Game with Mend here