PT-2025-8696 · Ruby+9 · Uri+9
Lambdasawa
+1
·
Published
2025-02-26
·
Updated
2026-01-03
·
CVE-2025-27221
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
URI gem versions prior to 0.11.3
URI gem versions 0.12.0 through 0.12.3
URI gem versions 0.13.0 through 0.13.1
URI gem versions 1.0.0 through 1.0.2
Description
The URI handling methods (
URI.join, URI#merge, URI#+) in the URI gem for Ruby have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. This could lead to an unintended userinfo leak when generating a URL to a malicious host from a URL containing secret userinfo using these methods.Recommendations
For URI gem versions prior to 0.11.3, update to version 0.11.3 or later.
For URI gem versions 0.12.0 through 0.12.3, update to version 0.12.4 or later.
For URI gem versions 0.13.0 through 0.13.1, update to version 0.13.2 or later.
For URI gem versions 1.0.0 through 1.0.2, update to version 1.0.3 or later.
As a temporary workaround, consider avoiding the use of
URI#join, URI#merge, and URI#+ methods until a patch is available.Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Almalinux
Centos
Debian
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Uri
Ubuntu