JRuby-OpenSSL has hostname verification disabled by default
Description
JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 and 10.0.0.0 prior to 10.0.0.1), when verifying SSL certificates, JRuby-OpenSSL does not verify that the hostname presented in the certificate matches the one the user tries to connect to. This means a man-in-the-middle could just present any valid cert for a completely different domain they own, and JRuby would accept the cert. Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely. JRuby-OpenSSL version 0.15.4 contains a fix for the issue. This fix is included in JRuby versions 10.0.0.1 and 9.4.12.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JRuby-OpenSSL fails to verify hostnames in SSL certificates, allowing man-in-the-middle attacks.
Vulnerability
JRuby-OpenSSL, an add-on gem for JRuby that emulates the Ruby OpenSSL native library, contains a flaw in its SSL certificate verification logic. Starting in version 0.12.1 and prior to 0.15.4, the gem does not verify that the hostname in the certificate matches the hostname the user intends to connect to [1]. This means the certificate chain validation is incomplete, as the critical hostname check is missing.
Exploitation
An attacker in a man-in-the-middle position can exploit this vulnerability by presenting any valid certificate issued to a domain they control. Because JRuby-OpenSSL bypasses hostname verification, the connection is accepted as legitimate even though the certificate does not correspond to the target server [1][3]. No special privileges or authentication are required; the attacker only needs to intercept the TLS handshake.
Impact
A successful exploit completely undermines the security guarantees of HTTPS. The attacker can eavesdrop on, modify, or redirect traffic intended for a trusted server, compromising the confidentiality and integrity of any data exchanged. This affects any JRuby application that uses HTTPS to communicate with external APIs or scrape the web [1][4].
Mitigation
The fix is included in JRuby-OpenSSL version 0.15.4 and JRuby versions 9.4.12.1 and 10.0.0.1 [1][4]. Users should update to these versions immediately. No workarounds are documented; updating the gem is the recommended course of action.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rubygems:jruby-opensslMaven | >= 0.12.1, < 0.15.4 | 0.15.4 |
org.jruby:jrubyMaven | >= 10.0.0.0, < 10.0.0.1 | 10.0.0.1 |
org.jruby:jrubyMaven | >= 9.3.4.0, < 9.4.12.1 | 9.4.12.1 |
jruby-opensslRubyGems | >= 0.12.1, < 0.15.4 | 0.15.4 |
Affected products
6- osv-coords4 versionspkg:apk/chainguard/elasticsearch-8.17pkg:gem/jruby-opensslpkg:maven/org.jruby/jrubypkg:maven/rubygems/jruby-openssl
< 8.17.10-r13+ 3 more
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: >= 0.12.1, < 0.15.4
- (no CPE)range: >= 10.0.0.0, < 10.0.0.1
- (no CPE)range: >= 0.12.1, < 0.15.4
- jruby/jruby-opensslv5Range: >= 0.12.1, < 0.15.4
Patches
231a56d690ce9Merge commit from fork
1 file changed · +1 −1
lib/openssl/ssl.rb+1 −1 modified@@ -20,7 +20,7 @@ class SSLContext DEFAULT_PARAMS = { # :nodoc: :min_version => OpenSSL::SSL::TLS1_VERSION, :verify_mode => OpenSSL::SSL::VERIFY_PEER, - :verify_hostname => nil, # TODO => true needs JRuby support to call verify_certificate_identity + :verify_hostname => true, :options => OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_COMPRESSION }
b1fc5d645c0dVerify hostname by default
1 file changed · +1 −1
lib/openssl/ssl.rb+1 −1 modified@@ -20,7 +20,7 @@ class SSLContext DEFAULT_PARAMS = { # :nodoc: :min_version => OpenSSL::SSL::TLS1_VERSION, :verify_mode => OpenSSL::SSL::VERIFY_PEER, - :verify_hostname => nil, # TODO => true needs JRuby support to call verify_certificate_identity + :verify_hostname => true, :options => OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_COMPRESSION }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-72qj-48g4-5xgxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-46551ghsaADVISORY
- github.com/jruby/jruby-openssl/commit/31a56d690ce9b8af47af09aaaf809081949ed285ghsax_refsource_MISCWEB
- github.com/jruby/jruby-openssl/commit/b1fc5d645c0d90891b8865925ac1c15e3f15a055ghsaWEB
- github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgxghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/jruby-openssl/CVE-2025-46551.ymlghsaWEB
News mentions
0No linked articles in our index yet.