Low severityNVD Advisory· Published Mar 3, 2025· Updated Nov 3, 2025
CVE-2025-27221
CVE-2025-27221
Description
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
uriRubyGems | < 0.11.3 | 0.11.3 |
uriRubyGems | >= 0.12.0, < 0.12.4 | 0.12.4 |
uriRubyGems | >= 0.13.0, < 0.13.2 | 0.13.2 |
uriRubyGems | >= 1.0.0, < 1.0.3 | 1.0.3 |
Affected products
115- osv-coords114 versionspkg:apk/chainguard/elasticsearch-8.17pkg:apk/chainguard/jruby-9.4pkg:apk/chainguard/jruby-9.4-default-rubypkg:apk/chainguard/kube-fluentd-operatorpkg:apk/chainguard/kube-fluentd-operator-compatpkg:apk/chainguard/kube-fluentd-operator-default-configpkg:apk/chainguard/kube-fluentd-operator-oci-entrypointpkg:apk/chainguard/logstash-9.1pkg:apk/chainguard/logstash-9.1-bitnami-compatpkg:apk/chainguard/logstash-9.1-iamguarded-compatpkg:apk/chainguard/logstash-9.1-with-output-opensearchpkg:apk/chainguard/ruby-3.1pkg:apk/chainguard/ruby-3.1-basepkg:apk/chainguard/ruby-3.1-base-devpkg:apk/chainguard/ruby-3.1-devpkg:apk/chainguard/ruby-3.1-docpkg:apk/chainguard/ruby-3.2pkg:apk/chainguard/ruby-3.2-basepkg:apk/chainguard/ruby-3.2-base-devpkg:apk/chainguard/ruby-3.2-devpkg:apk/chainguard/ruby-3.2-docpkg:apk/chainguard/ruby3.2-faraday-1.10.3pkg:apk/chainguard/ruby3.2-rails-8.0pkg:apk/chainguard/ruby3.2-rails-8.0-compatpkg:apk/chainguard/ruby3.2-uripkg:apk/chainguard/ruby3.3-rails-8.0pkg:apk/chainguard/ruby3.3-rails-8.0-compatpkg:apk/chainguard/ruby3.3-uripkg:apk/chainguard/ruby-3.4pkg:apk/chainguard/ruby-3.4-devpkg:apk/chainguard/ruby-3.4-docpkg:apk/chainguard/ruby3.4-rails-8.0pkg:apk/chainguard/ruby3.4-rails-8.0-compatpkg:apk/chainguard/ruby3.4-uripkg:apk/wolfi/jruby-9.4pkg:apk/wolfi/jruby-9.4-default-rubypkg:apk/wolfi/kube-fluentd-operatorpkg:apk/wolfi/kube-fluentd-operator-compatpkg:apk/wolfi/kube-fluentd-operator-default-configpkg:apk/wolfi/kube-fluentd-operator-oci-entrypointpkg:apk/wolfi/logstash-9.1pkg:apk/wolfi/logstash-9.1-bitnami-compatpkg:apk/wolfi/logstash-9.1-iamguarded-compatpkg:apk/wolfi/logstash-9.1-with-output-opensearchpkg:apk/wolfi/ruby-3.1pkg:apk/wolfi/ruby-3.1-basepkg:apk/wolfi/ruby-3.1-base-devpkg:apk/wolfi/ruby-3.1-devpkg:apk/wolfi/ruby-3.1-docpkg:apk/wolfi/ruby-3.2pkg:apk/wolfi/ruby-3.2-basepkg:apk/wolfi/ruby-3.2-base-devpkg:apk/wolfi/ruby-3.2-devpkg:apk/wolfi/ruby-3.2-docpkg:apk/wolfi/ruby3.2-rails-8.0pkg:apk/wolfi/ruby3.2-rails-8.0-compatpkg:apk/wolfi/ruby3.2-uripkg:apk/wolfi/ruby3.3-rails-8.0pkg:apk/wolfi/ruby3.3-rails-8.0-compatpkg:apk/wolfi/ruby3.3-uripkg:apk/wolfi/ruby-3.4pkg:apk/wolfi/ruby-3.4-devpkg:apk/wolfi/ruby-3.4-docpkg:apk/wolfi/ruby3.4-rails-8.0pkg:apk/wolfi/ruby3.4-rails-8.0-compatpkg:apk/wolfi/ruby3.4-uripkg:gem/uripkg:rpm/almalinux/rubypkg:rpm/almalinux/ruby-bundled-gemspkg:rpm/almalinux/ruby-default-gemspkg:rpm/almalinux/ruby-develpkg:rpm/almalinux/ruby-docpkg:rpm/almalinux/rubygem-abrtpkg:rpm/almalinux/rubygem-abrt-docpkg:rpm/almalinux/rubygem-bigdecimalpkg:rpm/almalinux/rubygem-bundlerpkg:rpm/almalinux/rubygem-io-consolepkg:rpm/almalinux/rubygem-irbpkg:rpm/almalinux/rubygem-jsonpkg:rpm/almalinux/rubygem-minitestpkg:rpm/almalinux/rubygem-mysql2pkg:rpm/almalinux/rubygem-mysql2-docpkg:rpm/almalinux/rubygem-pgpkg:rpm/almalinux/rubygem-pg-docpkg:rpm/almalinux/rubygem-power_assertpkg:rpm/almalinux/rubygem-psychpkg:rpm/almalinux/rubygem-raccpkg:rpm/almalinux/rubygem-rakepkg:rpm/almalinux/rubygem-rbspkg:rpm/almalinux/rubygem-rdocpkg:rpm/almalinux/rubygem-rexmlpkg:rpm/almalinux/rubygem-rsspkg:rpm/almalinux/rubygemspkg:rpm/almalinux/rubygems-develpkg:rpm/almalinux/rubygem-test-unitpkg:rpm/almalinux/rubygem-typeprofpkg:rpm/almalinux/ruby-libspkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/ruby2.5&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Server%204.3
< 8.17.10-r13+ 113 more
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 9.4.14.0-r0
- (no CPE)range: < 9.4.14.0-r0
- (no CPE)range: < 1.18.2-r33
- (no CPE)range: < 1.18.2-r33
- (no CPE)range: < 1.18.2-r33
- (no CPE)range: < 1.18.2-r33
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 1.10.3-r9
- (no CPE)range: < 8.0.1-r3
- (no CPE)range: < 8.0.1-r3
- (no CPE)range: < 1.0.3-r0
- (no CPE)range: < 8.0.2-r1
- (no CPE)range: < 8.0.2-r1
- (no CPE)range: < 1.0.3-r0
- (no CPE)range: < 3.4.2-r1
- (no CPE)range: < 3.4.2-r1
- (no CPE)range: < 3.4.2-r1
- (no CPE)range: < 8.0.2-r1
- (no CPE)range: < 8.0.2-r1
- (no CPE)range: < 1.0.3-r0
- (no CPE)range: < 9.4.14.0-r0
- (no CPE)range: < 9.4.14.0-r0
- (no CPE)range: < 1.18.2-r33
- (no CPE)range: < 1.18.2-r33
- (no CPE)range: < 1.18.2-r33
- (no CPE)range: < 1.18.2-r33
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 8.0.1-r3
- (no CPE)range: < 8.0.1-r3
- (no CPE)range: < 1.0.3-r0
- (no CPE)range: < 8.0.2-r1
- (no CPE)range: < 8.0.2-r1
- (no CPE)range: < 1.0.3-r0
- (no CPE)range: < 3.4.2-r1
- (no CPE)range: < 3.4.2-r1
- (no CPE)range: < 3.4.2-r1
- (no CPE)range: < 8.0.2-r1
- (no CPE)range: < 8.0.2-r1
- (no CPE)range: < 1.0.3-r0
- (no CPE)range: < 0.11.3
- (no CPE)range: < 3.3.8-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.3.8-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.3.8-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.3.8-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.3.8-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 0.4.0-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 0.4.0-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 3.1.5-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 2.5.22-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 0.7.1-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 1.13.1-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 2.7.2-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 5.20.0-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 0.5.5-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 0.5.5-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 1.5.4-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 1.5.4-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 2.0.3-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 5.1.2-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 1.7.3-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 13.1.0-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.4.0-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 6.6.3.1-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.3.9-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 0.3.1-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.5.22-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.5.22-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.6.1-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 0.21.9-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.3.8-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 2.5.9-150000.4.46.1
- (no CPE)range: < 2.5.9-150000.4.46.1
- (no CPE)range: < 2.5.9-150000.4.46.1
- (no CPE)range: < 2.5.9-150000.4.46.1
- (no CPE)range: < 2.5.9-150000.4.46.1
- (no CPE)range: < 2.5.9-150000.4.46.1
- (no CPE)range: < 2.5.9-150000.4.46.1
- (no CPE)range: < 2.5.9-150000.4.46.1
- (no CPE)range: < 2.5.9-150700.24.3.1
- (no CPE)range: < 2.5.9-150000.4.46.1
- (no CPE)range: < 2.5.9-150000.4.46.1
- (no CPE)range: < 2.5.9-150000.4.46.1
- (no CPE)range: < 2.5.9-150000.4.46.1
- (no CPE)range: < 2.5.9-150000.4.46.1
- (no CPE)range: < 2.5.9-150000.4.46.1
- (no CPE)range: < 2.5.9-150000.4.46.1
- (no CPE)range: < 2.5.9-150000.4.46.1
Patches
Vulnerability mechanics
References
12- github.com/advisories/GHSA-22h5-pq3x-2gf2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-27221ghsaADVISORY
- github.com/ruby/uri/pull/154ghsaWEB
- github.com/ruby/uri/pull/155ghsaWEB
- github.com/ruby/uri/pull/156ghsaWEB
- github.com/ruby/uri/pull/157ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.ymlghsaWEB
- hackerone.com/reports/2957667ghsaWEB
- lists.debian.org/debian-lts-announce/2025/03/msg00008.htmlghsaWEB
- lists.debian.org/debian-lts-announce/2025/05/msg00015.htmlghsaWEB
- www.cve.org/CVERecordghsaWEB
- www.ruby-lang.org/en/news/2025/02/26/security-advisoriesghsaWEB
News mentions
0No linked articles in our index yet.