Low severityNVD Advisory· Published Mar 3, 2025· Updated Nov 3, 2025
CVE-2025-27221
CVE-2025-27221
Description
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
uriRubyGems | < 0.11.3 | 0.11.3 |
uriRubyGems | >= 0.12.0, < 0.12.4 | 0.12.4 |
uriRubyGems | >= 0.13.0, < 0.13.2 | 0.13.2 |
uriRubyGems | >= 1.0.0, < 1.0.3 | 1.0.3 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-22h5-pq3x-2gf2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-27221ghsaADVISORY
- github.com/ruby/uri/pull/154ghsaWEB
- github.com/ruby/uri/pull/155ghsaWEB
- github.com/ruby/uri/pull/156ghsaWEB
- github.com/ruby/uri/pull/157ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.ymlghsaWEB
- hackerone.com/reports/2957667ghsaWEB
- lists.debian.org/debian-lts-announce/2025/03/msg00008.htmlghsaWEB
- lists.debian.org/debian-lts-announce/2025/05/msg00015.htmlghsaWEB
- www.cve.org/CVERecordghsaWEB
- www.ruby-lang.org/en/news/2025/02/26/security-advisoriesghsaWEB
News mentions
0No linked articles in our index yet.