Description
URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.
Published: 2025-12-30
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Credentials Exposed
Action: Patch
AI Analysis

Impact

The Ruby URI module allows classes to manipulate Uniform Resource Identifiers. In legacy versions, the + operator concatenated two URIs and inadvertently propagated the user name and password from the original URI to the resulting URI. This behavior violates RFC3986 and causes sensitive credentials to be exposed in logs or other logs, making applications vulnerable to credential leakage.

Affected Systems

The issue affects the Ruby URI gem versions 0.12.4 and earlier, 0.13.2 and earlier, and 1.0.3 and earlier—bundled in Ruby 3.2, 3.3, and 3.4 series respectively. Versions 0.12.5, 0.13.3, and 1.0.4 and later contain the fix.

Risk and Exploitability

The CVSS score is 2.1 and the EPSS score is less than 1%; the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an application that concatenates URIs containing credentials via the + operator, which may be performed by code executing with trusted privileges. The impact is limited to information disclosure of credentials rather than code execution or denial of service.

Generated by OpenCVE AI on April 20, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ruby URI gem to at least 0.12.5, 0.13.3, or 1.0.4—or update Ruby to a release that bundles the patched module.
  • If an upgrade cannot be performed immediately, remove or redact password components from any URI before performing concatenation or use alternative RFC‑compliant URI joining methods that do not propagate credentials.
  • Configure application logging to exclude or mask full URIs that may contain passwords, mitigating potential credential exposure in logs.

Generated by OpenCVE AI on April 20, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j4pr-3wm6-xx2r URI Credential Leakage Bypass over CVE-2025-27221
History

Thu, 16 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue. URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

 cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N'}

Tue, 24 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Ruby-lang
Ruby-lang uri
Vendors & Products Ruby-lang
Ruby-lang uri

Fri, 02 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Tue, 30 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Description URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.
Title URI Credential Leakage Bypass over CVE-2025-27221
Weaknesses CWE-212
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Ruby-lang Uri
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T17:02:32.149Z

Reserved: 2025-09-26T16:25:25.150Z

Link: CVE-2025-61594

cve-icon Vulnrichment

Updated: 2025-12-30T21:29:36.147Z

cve-icon NVD

Status : Modified

Published: 2025-12-30T21:15:43.893

Modified: 2026-04-16T18:16:44.400

Link: CVE-2025-61594

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-12-30T21:03:08Z

Links: CVE-2025-61594 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:45:10Z

Weaknesses