CVE-2025-46551: JRuby-OpenSSL has hostname verification disabled by default

May 7, 2025

When verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present any valid cert for a completely different domain they own, and JRuby wouldn’t complain.

References

github.com/advisories/GHSA-72qj-48g4-5xgx
github.com/jruby/jruby-openssl
github.com/jruby/jruby-openssl/commit/b1fc5d645c0d90891b8865925ac1c15e3f15a055
github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx
nvd.nist.gov/vuln/detail/CVE-2025-46551

Code Behaviors & Features

Detect and mitigate CVE-2025-46551 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →