CVE-2025-27221: URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+
(updated )
There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem.
References
- github.com/advisories/GHSA-22h5-pq3x-2gf2
- github.com/ruby/uri
- github.com/ruby/uri/pull/154
- github.com/ruby/uri/pull/155
- github.com/ruby/uri/pull/156
- github.com/ruby/uri/pull/157
- github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml
- hackerone.com/reports/2957667
- nvd.nist.gov/vuln/detail/CVE-2025-27221
- www.cve.org/CVERecord?id=CVE-2025-27221
- www.ruby-lang.org/en/news/2025/02/26/security-advisories
Detect and mitigate CVE-2025-27221 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →