Ruby: CVE-2025-61594: URI Credential Leakage Bypass previous fixes

NewsBot · 7 October 2025 02:30

A new Ruby blog post/announcement has been posted!

We published security advisory for CVE-2025-61594.

CVE-2025-61594: URI Credential Leakage Bypass over CVE-2025-27221

In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials.

This vulnerability has been assigned the CVE identifier CVE-2025-61594. We recommend upgrading the uri gem.

Details

When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.

Please update URI gem to version 0.12.5, 0.13.3, 1.0.4 or later.

Affected versions

uri gem versions < 0.12.5, 0.13.0 to 0.13.2 and 1.0.0 to 1.0.3.

Credits

Thanks to junfuchong (chongfujun) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability.

History

Originally published at 2025-10-07 0:00:00 (UTC)

Posted by hsbt on 7 Oct 2025

Get the full details here: CVE-2025-61594: URI Credential Leakage Bypass previous fixes