CVE-2025-27221

Summary

In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.

Affected Software

VendorProductVersion RangeStatus
ruby-langURI0 < 0.11.3affected
ruby-langURI0.12.0 < 0.12.4affected
ruby-langURI0.13.0 < 0.13.2affected
ruby-langURI1.0.0 < 1.0.3affected

Weaknesses

  • CWE-212: CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References