CVE-2025-61594: URI Credential Leakage Bypass over CVE-2025-27221
In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials.
When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.
The vulnerability affects the uri gem bundled with the following Ruby series:
- 0.12.4 and earlier (bundled in Ruby 3.2 series)
- 0.13.2 and earlier (bundled in Ruby 3.3 series)
- 1.0.3 and earlier (bundled in Ruby 3.4 series)
References
- github.com/advisories/GHSA-j4pr-3wm6-xx2r
- github.com/ruby/uri
- github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902
- github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c
- github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a
- github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml
- nvd.nist.gov/vuln/detail/CVE-2025-61594
- www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594
Code Behaviors & Features
Detect and mitigate CVE-2025-61594 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →