{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-61594", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-09-26T16:25:25.150Z", "datePublished": "2025-12-30T21:03:08.990Z", "dateUpdated": "2026-04-16T17:02:32.149Z"}, "containers": {"cna": {"title": "URI Credential Leakage Bypass over CVE-2025-27221", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-212", "lang": "en", "description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.1, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r"}, {"name": "https://hackerone.com/reports/2957667", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/2957667"}, {"name": "https://github.com/advisories/GHSA-22h5-pq3x-2gf2", "tags": ["x_refsource_MISC"], "url": "https://github.com/advisories/GHSA-22h5-pq3x-2gf2"}, {"name": "https://www.ruby-lang.org/en/news/2025/02/26/security-advisories", "tags": ["x_refsource_MISC"], "url": "https://www.ruby-lang.org/en/news/2025/02/26/security-advisories"}], "affected": [{"vendor": "ruby", "product": "uri", "versions": [{"version": "< 0.12.5", "status": "affected"}, {"version": ">= 0.13.0, < 0.13.3", "status": "affected"}, {"version": ">= 1.0.0, < 1.0.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T17:02:32.149Z"}, "descriptions": [{"lang": "en", "value": "URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4."}], "source": {"advisory": "GHSA-j4pr-3wm6-xx2r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-30T21:29:32.513492Z", "id": "CVE-2025-61594", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-30T21:29:39.048Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-61594", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-30T21:29:32.513492Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-30T21:29:36.147Z"}}], "cna": {"title": "URI Credential Leakage Bypass over CVE-2025-27221", "source": {"advisory": "GHSA-j4pr-3wm6-xx2r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.1, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "ruby", "product": "uri", "versions": [{"status": "affected", "version": "< 0.12.5"}, {"status": "affected", "version": ">= 0.13.0, < 0.13.3"}, {"status": "affected", "version": ">= 1.0.0, < 1.0.4"}]}], "references": [{"url": "https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r", "name": "https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://hackerone.com/reports/2957667", "name": "https://hackerone.com/reports/2957667", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/advisories/GHSA-22h5-pq3x-2gf2", "name": "https://github.com/advisories/GHSA-22h5-pq3x-2gf2", "tags": ["x_refsource_MISC"]}, {"url": "https://www.ruby-lang.org/en/news/2025/02/26/security-advisories", "name": "https://www.ruby-lang.org/en/news/2025/02/26/security-advisories", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-212", "description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T17:02:32.149Z"}}}, "cveMetadata": {"cveId": "CVE-2025-61594", "state": "PUBLISHED", "dateUpdated": "2026-04-16T17:02:32.149Z", "dateReserved": "2025-09-26T16:25:25.150Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-12-30T21:03:08.990Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "488EF0F7-7510-451A-9EFC-85673ADC364D", "versionEndExcluding": "0.12.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "336CB58A-5975-4516-86A6-FAC69551C4A3", "versionEndExcluding": "0.13.3", "versionStartIncluding": "0.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "7930C9E3-5EEA-40F9-8299-25B6C681BAD6", "versionEndExcluding": "1.0.4", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4."}, {"lang": "es", "value": "URI es un m\u00f3dulo que proporciona clases para manejar Identificadores Uniformes de Recursos. En versiones anteriores a 0.12.5, 0.13.3 y 1.0.4, existe un bypass para la correcci\u00f3n de CVE-2025-27221 que puede exponer credenciales de usuario. Al usar el operador '+' para combinar URIs, informaci\u00f3n sensible como contrase\u00f1as del URI original puede filtrarse, violando RFC3986 y haciendo que las aplicaciones sean vulnerables a la exposici\u00f3n de credenciales. Las versiones 0.12.5, 0.13.3 y 1.0.4 corrigen el problema."}], "id": "CVE-2025-61594", "lastModified": "2026-04-16T18:16:44.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-12-30T21:15:43.893", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/advisories/GHSA-22h5-pq3x-2gf2"}, {"source": "security-advisories@github.com", "url": "https://github.com/ruby/uri/security/advisories/GHSA-j4pr-3wm6-xx2r"}, {"source": "security-advisories@github.com", "url": "https://hackerone.com/reports/2957667"}, {"source": "security-advisories@github.com", "url": "https://www.ruby-lang.org/en/news/2025/02/26/security-advisories"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-212"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "uri: URI module: Credential exposure via URI + operator", "id": "2426336", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426336"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-212", "details": ["URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.", "A flaw was found in the URI module. A remote attacker could exploit this vulnerability by using the `+` operator to combine Uniform Resource Identifiers (URIs). This bypasses a previous fix and can lead to the leakage of sensitive information, such as user credentials (passwords), from the original URI, resulting in credential exposure."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-61594", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/fluentd-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "rhel10/flatpak-sdk", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "rhel10/ruby-33", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "ruby", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "ubi10/ruby-33", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "rhel8/ruby-33", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "ruby:3.3/ruby", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "ubi8/ruby-33", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "rhel9/flatpak-sdk", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "rhel9/ruby-30", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "rhel9/ruby-33", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "ruby:3.3/ruby", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "ubi9/ruby-30", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "ubi9/ruby-33", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-12-30T21:03:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-61594\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-61594\nhttps://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902\nhttps://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c\nhttps://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a\nhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml\nhttps://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/"], "statement": "This vulnerability is rated Moderate as it allows for credential exposure when the URI module's `+` operator is used to combine URIs. This flaw bypasses a previous fix, potentially leading to sensitive information leakage from the original URI in affected applications across Red Hat Enterprise Linux, OpenShift Container Platform, and other products utilizing the vulnerable URI module.", "threat_severity": "Moderate"}

{"created": "2026-01-05T10:19:26.248120+00:00", "updated": "2026-01-05T10:19:26.248146+00:00", "vendors": ["ruby-lang", "ruby-lang$PRODUCT$uri"]}