AZL-73356

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-73356.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-73356

Upstream

CVE-2025-61594

Published

2025-12-30T21:15:43Z

Modified

2026-04-01T05:22:17.315364Z

Summary

CVE-2025-61594 affecting package ruby for versions less than 3.3.5-7

Details

URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-61594

Affected packages

Azure Linux:3 / ruby

Package

Name: ruby
Purl: pkg:rpm/azure-linux/ruby

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.5-7

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-73356.json"