CVE-2025-61594

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-61594
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-61594.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-61594
Aliases
Downstream
Published
2025-12-30T21:03:08.990Z
Modified
2026-01-03T09:34:29.312683Z
Severity
  • 2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
URI Credential Leakage Bypass over CVE-2025-27221
Details

URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-212"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/61xxx/CVE-2025-61594.json"
}
References

Affected packages

Git / github.com/ruby/uri

Affected ranges

Type
GIT
Repo
https://github.com/ruby/uri
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8cf5a496c1f8e5fe58c0c605ad96d12a051e24c6
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.12.5"
        }
    ]
}
Type
GIT
Repo
https://github.com/ruby/uri
Events
Introduced
b50d37f7a193991c56bda7f94e8dd6fec0bb3f7f
Fixed
f39018d26848aaa64f22e912599e0dfbcae504ff
Database specific 
{
    "versions": [
        {
            "introduced": "0.13.0"
        },
        {
            "fixed": "0.13.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/ruby/uri
Events
Introduced
af8d9d6bb1a90da71f64a9c3f8eddd3626d44efb
Fixed
e5074739c3f28e03a26f6a1daa2a051fdbc3e774
Database specific 
{
    "versions": [
        {
            "introduced": "1.0.0"
        },
        {
            "fixed": "1.0.4"
        }
    ]
}

Affected versions

v0.*

v0.10.0
v0.10.1
v0.11.0
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.12.4
v0.13.0
v0.13.1
v0.13.2

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.0.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-61594.json"