CVE-2025-46551: JRuby-OpenSSL has hostname verification disabled by default
(updated )
When verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present any valid cert for a completely different domain they own, and JRuby wouldn’t complain.
References
- github.com/advisories/GHSA-72qj-48g4-5xgx
- github.com/jruby/jruby-openssl
- github.com/jruby/jruby-openssl/commit/31a56d690ce9b8af47af09aaaf809081949ed285
- github.com/jruby/jruby-openssl/commit/b1fc5d645c0d90891b8865925ac1c15e3f15a055
- github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx
- nvd.nist.gov/vuln/detail/CVE-2025-46551
Code Behaviors & Features
Detect and mitigate CVE-2025-46551 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →