URI Module Vulnerability Exposing User Credentials in Ruby
CVE-2025-61594

2.1LOW

Key Information:

Vendor

Ruby

Status
Uri
Vendor
CVE Published:
30 December 2025

What is CVE-2025-61594?

The URI module in Ruby allows for managed handling of Uniform Resource Identifiers but contains a significant flaw in versions before 0.12.5, 0.13.3, and 1.0.4. This vulnerability enables a bypass of previous security measures designed to mitigate credential exposure. Specifically, using the '+' operator to concatenate URIs can inadvertently leak sensitive information, such as passwords. This behavior contravenes the standards outlined in RFC3986, jeopardizing the security of applications relying on affected versions of the URI module. Developers are urged to update to the fixed versions to ensure their applications are secure against this vulnerability.

Affected Version(s)

uri < 0.12.5 < 0.12.5

uri >= 0.13.0, < 0.13.3 < 0.13.0, 0.13.3

uri >= 1.0.0, < 1.0.4 < 1.0.0, 1.0.4

References

https://github.com/ruby/uri/security/advisories/GHSA-j4pr...
x_refsource_CONFIRM
https://hackerone.com/reports/2957667
x_refsource_MISC
https://github.com/advisories/GHSA-22h5-pq3x-2gf2
x_refsource_MISC

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.