In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
References
Link | Resource |
---|---|
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml | Third Party Advisory |
https://hackerone.com/reports/2957667 | Permissions Required |
Configurations
Configuration 1 (hide)
|
History
01 Aug 2025, 02:06
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:* | |
First Time |
Ruby-lang
Ruby-lang uri |
|
References | () https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml - Third Party Advisory | |
References | () https://hackerone.com/reports/2957667 - Permissions Required | |
Summary |
|
04 Mar 2025, 00:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-03-04 00:15
Updated : 2025-08-01 02:06
NVD link : CVE-2025-27221
Mitre link : CVE-2025-27221
CVE.ORG link : CVE-2025-27221
JSON object : View
Products Affected
ruby-lang
- uri
CWE
CWE-212
Improper Removal of Sensitive Information Before Storage or Transfer