UBUNTU-CVE-2025-61594
- Source
- https://ubuntu.com/security/CVE-2025-61594
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-61594.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2025-61594
- Upstream
- Published
- 2025-12-30T21:15:00Z
- Modified
- 2026-01-08T06:16:28.477946Z
- Severity
-
- 2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Ubuntu - medium
- Summary
- [none]
- Details
-
URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the
+operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue. - References
-
- https://ubuntu.com/security/CVE-2025-61594
- https://www.cve.org/CVERecord?id=CVE-2025-61594
- https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/
- https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902
- https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c
- https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml
Affected packages
Ubuntu:16.04:LTS
jruby
Package
- Name
- jruby
- Purl
- pkg:deb/ubuntu/jruby@1.7.22-1ubuntu1?arch=source&distro=xenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:18.04:LTS
jruby
Package
- Name
- jruby
- Purl
- pkg:deb/ubuntu/jruby@9.1.17.0-1~18.04?arch=source&distro=bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:20.04:LTS
jruby
Package
- Name
- jruby
- Purl
- pkg:deb/ubuntu/jruby@9.1.17.0-3build6?arch=source&distro=focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:22.04:LTS
ruby3.0
Package
- Name
- ruby3.0
- Purl
- pkg:deb/ubuntu/ruby3.0@3.0.2-7ubuntu2.11?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
3.*
3.0.2-5ubuntu1
3.0.2-7
3.0.2-7ubuntu2
3.0.2-7ubuntu2.1
3.0.2-7ubuntu2.2
3.0.2-7ubuntu2.3
3.0.2-7ubuntu2.4
3.0.2-7ubuntu2.5
3.0.2-7ubuntu2.6
3.0.2-7ubuntu2.7
3.0.2-7ubuntu2.8
3.0.2-7ubuntu2.10
3.0.2-7ubuntu2.11
Ubuntu:24.04:LTS
jruby
Package
- Name
- jruby
- Purl
- pkg:deb/ubuntu/jruby@9.4.6.0+ds-1ubuntu3?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
ruby3.2
Package
- Name
- ruby3.2
- Purl
- pkg:deb/ubuntu/ruby3.2@3.2.3-1ubuntu0.24.04.6?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
3.*
3.2.3-1
3.2.3-1build2
3.2.3-1build3
3.2.3-1ubuntu0.24.04.1
3.2.3-1ubuntu0.24.04.3
3.2.3-1ubuntu0.24.04.5
3.2.3-1ubuntu0.24.04.6
Ubuntu:25.04
jruby
Package
- Name
- jruby
- Purl
- pkg:deb/ubuntu/jruby@9.4.8.0+ds-2ubuntu1?arch=source&distro=plucky
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
ruby3.3
Package
- Name
- ruby3.3
- Purl
- pkg:deb/ubuntu/ruby3.3@3.3.7-1ubuntu2.1?arch=source&distro=plucky
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
3.*
3.3.4-2ubuntu5
3.3.4-2ubuntu6
3.3.4-2ubuntu7
3.3.6-1.1ubuntu1
3.3.7-1ubuntu2
3.3.7-1ubuntu2.1
Ubuntu:25.10
jruby
Package
- Name
- jruby
- Purl
- pkg:deb/ubuntu/jruby@9.4.8.0+ds-3ubuntu1?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
ruby3.3
Package
- Name
- ruby3.3
- Purl
- pkg:deb/ubuntu/ruby3.3@3.3.8-2ubuntu2?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:Pro:14.04:LTS
jruby
Package
- Name
- jruby
- Purl
- pkg:deb/ubuntu/jruby@1.5.6-9+deb8u2build0.14.04.1~esm2?arch=source&distro=esm-infra-legacy/trusty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:Pro:16.04:LTS
ruby2.3
Package
- Name
- ruby2.3
- Purl
- pkg:deb/ubuntu/ruby2.3@2.3.1-2~ubuntu16.04.16+esm11?arch=source&distro=esm-infra/xenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
2.*
2.3.0-1
2.3.0-2
2.3.0-4ubuntu2
2.3.0-4ubuntu3
2.3.0-5ubuntu1
2.3.1-2~16.04
2.3.1-2~16.04.2
2.3.1-2~16.04.4
2.3.1-2~16.04.5
2.3.1-2~16.04.6
2.3.1-2~16.04.7
2.3.1-2~16.04.9
2.3.1-2~16.04.10
2.3.1-2~16.04.11
2.3.1-2~16.04.12
2.3.1-2~ubuntu16.04.13
2.3.1-2~ubuntu16.04.14
2.3.1-2~ubuntu16.04.15
2.3.1-2~ubuntu16.04.16
2.3.1-2~ubuntu16.04.16+esm1
2.3.1-2~ubuntu16.04.16+esm2
2.3.1-2~ubuntu16.04.16+esm3
2.3.1-2~ubuntu16.04.16+esm4
2.3.1-2~ubuntu16.04.16+esm5
2.3.1-2~ubuntu16.04.16+esm6
2.3.1-2~ubuntu16.04.16+esm7
2.3.1-2~ubuntu16.04.16+esm8
2.3.1-2~ubuntu16.04.16+esm9
2.3.1-2~ubuntu16.04.16+esm10
2.3.1-2~ubuntu16.04.16+esm11
Ecosystem specific
{
"binaries": [
{
"binary_name": "libruby2.3",
"binary_version": "2.3.1-2~ubuntu16.04.16+esm11"
},
{
"binary_name": "ruby2.3",
"binary_version": "2.3.1-2~ubuntu16.04.16+esm11"
},
{
"binary_name": "ruby2.3-dev",
"binary_version": "2.3.1-2~ubuntu16.04.16+esm11"
},
{
"binary_name": "ruby2.3-tcltk",
"binary_version": "2.3.1-2~ubuntu16.04.16+esm11"
}
]
}Ubuntu:Pro:18.04:LTS
ruby2.5
Package
- Name
- ruby2.5
- Purl
- pkg:deb/ubuntu/ruby2.5@2.5.1-1ubuntu1.16+esm6?arch=source&distro=esm-infra/bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
2.*
2.5.0~preview1-1ubuntu2
2.5.0-4ubuntu1
2.5.0-4ubuntu4
2.5.0-5ubuntu1
2.5.0-6ubuntu1
2.5.1-1ubuntu1
2.5.1-1ubuntu1.1
2.5.1-1ubuntu1.2
2.5.1-1ubuntu1.4
2.5.1-1ubuntu1.5
2.5.1-1ubuntu1.6
2.5.1-1ubuntu1.7
2.5.1-1ubuntu1.8
2.5.1-1ubuntu1.9
2.5.1-1ubuntu1.10
2.5.1-1ubuntu1.11
2.5.1-1ubuntu1.12
2.5.1-1ubuntu1.13
2.5.1-1ubuntu1.14
2.5.1-1ubuntu1.15
2.5.1-1ubuntu1.16
2.5.1-1ubuntu1.16+esm1
2.5.1-1ubuntu1.16+esm3
2.5.1-1ubuntu1.16+esm4
2.5.1-1ubuntu1.16+esm5
2.5.1-1ubuntu1.16+esm6
Ubuntu:Pro:20.04:LTS
ruby2.7
Package
- Name
- ruby2.7
- Purl
- pkg:deb/ubuntu/ruby2.7@2.7.0-5ubuntu1.18+esm3?arch=source&distro=esm-infra/focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
2.*
2.7.0-1
2.7.0-2
2.7.0-3
2.7.0-4
2.7.0-4ubuntu1
2.7.0-5ubuntu1
2.7.0-5ubuntu1.1
2.7.0-5ubuntu1.2
2.7.0-5ubuntu1.3
2.7.0-5ubuntu1.4
2.7.0-5ubuntu1.5
2.7.0-5ubuntu1.6
2.7.0-5ubuntu1.7
2.7.0-5ubuntu1.8
2.7.0-5ubuntu1.9
2.7.0-5ubuntu1.10
2.7.0-5ubuntu1.11
2.7.0-5ubuntu1.12
2.7.0-5ubuntu1.13
2.7.0-5ubuntu1.14
2.7.0-5ubuntu1.15
2.7.0-5ubuntu1.16
2.7.0-5ubuntu1.17
2.7.0-5ubuntu1.18
2.7.0-5ubuntu1.18+esm1
2.7.0-5ubuntu1.18+esm3