CVE-2025-61594

URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/61xxx/CVE-2025-61594.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200",
        "CWE-212"
    ]
}

References

Affected packages

Git / github.com/ruby/uri

Affected ranges

Type

GIT

Repo

https://github.com/ruby/uri

Events

Introduced

Fixed

8cf5a496c1f8e5fe58c0c605ad96d12a051e24c6

Introduced

b50d37f7a193991c56bda7f94e8dd6fec0bb3f7f

Fixed

f39018d26848aaa64f22e912599e0dfbcae504ff

Introduced

af8d9d6bb1a90da71f64a9c3f8eddd3626d44efb

Fixed

e5074739c3f28e03a26f6a1daa2a051fdbc3e774

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.12.5"
        },
        {
            "introduced": "0.13.0"
        },
        {
            "fixed": "0.13.3"
        },
        {
            "introduced": "1.0.0"
        },
        {
            "fixed": "1.0.4"
        }
    ],
    "cpe": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*",
    "source": "CPE_RANGE"
}

Affected versions

v0.*

v0.10.0

v0.10.1

v0.11.0

v0.12.0

v0.12.1

v0.12.2

v0.12.3

v0.12.4

v0.13.0

v0.13.1

v0.13.2

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-61594.json"