CVE-2025-61594

7.5 HIGH
Published: December 30, 2025 Modified: February 24, 2026
View on NVD

Description

URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902
Source: security-advisories@github.com
Patch
https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c
Source: security-advisories@github.com
Patch
https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a
Source: security-advisories@github.com
Patch
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml
Source: security-advisories@github.com
Vendor Advisory
https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/
Source: security-advisories@github.com
Vendor Advisory

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.5 / 10.0
EPSS (Exploit Probability)
0.0%
3th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-212

Affected Vendors

ruby-lang

Related CVEs

CVE-2026-4306 7.5
CVE-2026-4066 4.3
CVE-2026-3225 4.3
CVE-2026-33168 N/A
CVE-2026-33167 N/A