In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 4
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Ruby-Lang Uri
cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*
|
— |
0.11.3
|
|
Ruby-Lang Uri
cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*
|
0.12.0
|
0.12.4
|
|
Ruby-Lang Uri
cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*
|
0.13.0
|
0.13.2
|
|
Ruby-Lang Uri
cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*
|
1.0.0
|
1.0.3
|
References 4
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221…
cve@mitre.org
https://hackerone.com/reports/2957667
cve@mitre.org
https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html
af854a3a-2127-422b-91ae-364da2661108
https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html
af854a3a-2127-422b-91ae-364da2661108