CVE-2025-46551

Name of the Vulnerable Software and Affected Versions JRuby-OpenSSL versions 0.12.1 through 0.15.3 JRuby versions 9.3.4.0 through 9.4.12.0 JRuby version 10.0.0.0

Description The issue concerns the verification of SSL certificates. When verifying these certificates, the hostname presented in the certificate is not checked to ensure it matches the one the user is trying to connect to. This could allow a man-in-the-middle to present any valid certificate for a different domain they own, which would be accepted. This affects users who rely on JRuby to make requests to external APIs or scrape the web securely using https.

Recommendations For JRuby-OpenSSL versions 0.12.1 through 0.15.3, update to version 0.15.4. For JRuby versions 9.3.4.0 through 9.4.12.0, update to version 9.4.12.1. For JRuby version 10.0.0.0, update to version 10.0.0.1.