CVE-2025-61594: URI Credential Leakage Bypass previous fixes
Posted by hsbt on 7 Oct 2025
We published security advisory for CVE-2025-61594.
CVE-2025-61594: URI Credential Leakage Bypass over CVE-2025-27221
In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials.
This vulnerability has been assigned the CVE identifier CVE-2025-61594. We recommend upgrading the uri gem.
Details
When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.
Please update URI gem to version 0.12.5, 0.13.3, 1.0.4 or later.
Affected versions
- uri gem versions < 0.12.5, 0.13.0 to 0.13.2 and 1.0.0 to 1.0.3.
Credits
Thanks to junfuchong (chongfujun) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability.
History
- Originally published at 2025-10-07 0:00:00 (UTC)
Recent News
Ruby 4.0.0 Released
We are pleased to announce the release of Ruby 4.0.0. Ruby 4.0 introduces “Ruby Box” and “ZJIT”, and adds many improvements.
Posted by naruse on 25 Dec 2025
A New Look for Ruby's Documentation
Following the ruby-lang.org redesign, we have more news to celebrate Ruby’s 30th anniversary: docs.ruby-lang.org has a completely new look with Aliki—RDoc’s new default theme.
Posted by Stan Lo on 23 Dec 2025
Redesign our Site Identity
We are excited to announce a comprehensive redesign of our site. The design for this update was created by Taeko Akatsuka.
Posted by Hiroshi SHIBATA on 22 Dec 2025
Ruby 4.0.0 preview3 Released
We are pleased to announce the release of Ruby 4.0.0-preview3. Ruby 4.0 introduces Ruby::Box and “ZJIT”, and adds many improvements.
Posted by naruse on 18 Dec 2025