{ "schema_version": "1.4.0", "id": "GHSA-22h5-pq3x-2gf2", "modified": "2025-03-04T15:47:31Z", "published": "2025-03-03T22:07:53Z", "aliases": [ "CVE-2025-27221" ], "summary": "URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+", "details": "There is a possibility for userinfo leakage by in the uri gem.\nThis vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem.\n\n## Details\n\nThe methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur.\n\nPlease update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later.\n\n## Affected versions\n\nuri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2.\n\n## Credits\n\nThanks to Tsubasa Irisawa (lambdasawa) for discovering this issue.\nAlso thanks to nobu for additional fixes of this vulnerability.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" } ], "affected": [ { "package": { "ecosystem": "RubyGems", "name": "uri" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.11.3" } ] } ] }, { "package": { "ecosystem": "RubyGems", "name": "uri" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.12.0" }, { "fixed": "0.12.4" } ] } ] }, { "package": { "ecosystem": "RubyGems", "name": "uri" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.13.0" }, { "fixed": "0.13.2" } ] } ] }, { "package": { "ecosystem": "RubyGems", "name": "uri" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.3" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27221" }, { "type": "WEB", "url": "https://github.com/ruby/uri/pull/154" }, { "type": "WEB", "url": "https://github.com/ruby/uri/pull/155" }, { "type": "WEB", "url": "https://github.com/ruby/uri/pull/156" }, { "type": "WEB", "url": "https://github.com/ruby/uri/pull/157" }, { "type": "WEB", "url": "https://hackerone.com/reports/2957667" }, { "type": "PACKAGE", "url": "https://github.com/ruby/uri" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml" }, { "type": "WEB", "url": "https://www.cve.org/CVERecord?id=CVE-2025-27221" }, { "type": "WEB", "url": "https://www.ruby-lang.org/en/news/2025/02/26/security-advisories" } ], "database_specific": { "cwe_ids": [ "CWE-200", "CWE-212" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2025-03-03T22:07:53Z", "nvd_published_at": "2025-03-04T00:15:31Z" } }