Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-61594

Severity CVSS v4.0:
LOW
Type:
CWE-200 Information Leak / Disclosure
Publication date:
30/12/2025
Last modified:
16/04/2026

Description

URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.

Impact

Vector 4.0
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N CVSS v4.0 Severity and Metrics:

Base Score: 2.10 LOW
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Attack Vector (AV): Local
Attack Complexity (AC): Low
Attack Requirements (AT): Present
Privileges Required (PR): None
User Interaction (UI): None
Confidentiality (VC): None
Integrity (VI): None
Availability (VA): None
Confidentiality (SC): Low
Integrity (SI): None
Availability (SA): None

Base Score 4.0
2.10
Severity 4.0
LOW
Vector 3.x
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 7.50 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): None

Base Score 3.x
7.50
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:* 0.12.5 (excluding)
cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:* 0.13.0 (including) 0.13.3 (excluding)
cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:* 1.0.0 (including) 1.0.4 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools