GHSA-j4pr-3wm6-xx2r

When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.

The vulnerability affects the uri gem bundled with the following Ruby series:

0.12.4 and earlier (bundled in Ruby 3.2 series)
0.13.2 and earlier (bundled in Ruby 3.3 series)
1.0.3 and earlier (bundled in Ruby 3.4 series)

Patches

Upgrade to 0.12.5, 0.13.3 or 1.0.4

References

https://www.ruby-lang.org/en/news/2025/02/26/security-advisories/
https://hackerone.com/reports/2957667

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-30T21:07:14Z",
    "severity": "LOW",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-212"
    ]
}

References

Affected packages

RubyGems / uri

Package

Name: uri
Purl: pkg:gem/uri

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.12.5

Affected versions

0.*

0.10.0

0.10.0.1

0.10.0.2

0.10.0.3

0.10.1

0.10.2

0.10.3

0.11.0

0.11.1

0.11.2

0.11.3

0.12.0

0.12.1

0.12.2

0.12.3

0.12.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-j4pr-3wm6-xx2r/GHSA-j4pr-3wm6-xx2r.json"

RubyGems / uri

Package

Name: uri
Purl: pkg:gem/uri

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.13.0

Fixed

0.13.3

Affected versions

0.*

0.13.0

0.13.1

0.13.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-j4pr-3wm6-xx2r/GHSA-j4pr-3wm6-xx2r.json"

RubyGems / uri

Package

Name: uri
Purl: pkg:gem/uri

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.0.4

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-j4pr-3wm6-xx2r/GHSA-j4pr-3wm6-xx2r.json"