-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
Copy pathCVE-2025-27221.yml
42 lines (34 loc) · 1.25 KB
/
CVE-2025-27221.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
---
gem: uri
cve: 2025-27221
ghsa: 22h5-pq3x-2gf2
url: https://www.cve.org/CVERecord?id=CVE-2025-27221
title: CVE-2025-27221 - userinfo leakage in URI#join, URI#merge and URI#+.
date: 2025-02-26
description: |
There is a possibility for userinfo leakage by in the uri gem.
This vulnerability has been assigned the CVE identifier
CVE-2025-27221. We recommend upgrading the uri gem.
## Details
The methods URI#join, URI#merge, and URI#+ retained userinfo, such
as user:password, even after the host is replaced. When generating
a URL to a malicious host from a URL containing secret userinfo
using these methods, and having someone access that URL, an
unintended userinfo leak could occur.
Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later.
## Affected versions
uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and
1.0.0 to 1.0.2.
## Credits
Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue.
Also thanks to nobu for additional fixes of this vulnerability.
cvss_v3: 3.2
patched_versions:
- "~> 0.11.3"
- "~> 0.12.4"
- "~> 0.13.2"
- ">= 1.0.3"
related:
url:
- https://www.cve.org/CVERecord?id=CVE-2025-27221
- https://www.ruby-lang.org/en/news/2025/02/26/security-advisories