Ruby · Uri · CVE-2025-27221
**Name of the Vulnerable Software and Affected Versions**
URI gem versions prior to 0.11.3
URI gem versions 0.12.0 through 0.12.3
URI gem versions 0.13.0 through 0.13.1
URI gem versions 1.0.0 through 1.0.2
**Description**
The URI handling methods (`URI.join`, `URI#merge`, `URI#+`) in the URI gem for Ruby have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. This could lead to an unintended userinfo leak when generating a URL to a malicious host from a URL containing secret userinfo using these methods.
**Recommendations**
For URI gem versions prior to 0.11.3, update to version 0.11.3 or later.
For URI gem versions 0.12.0 through 0.12.3, update to version 0.12.4 or later.
For URI gem versions 0.13.0 through 0.13.1, update to version 0.13.2 or later.
For URI gem versions 1.0.0 through 1.0.2, update to version 1.0.3 or later.
As a temporary workaround, consider avoiding the use of `URI#join`, `URI#merge`, and `URI#+` methods until a patch is available.