CVE-2025-61594 — Improper Removal of Sensitive Information Before Storage or Transfer in URI

CWE-212 — Improper Removal of Sensitive Information Before Storage or Transfer10 documents8 sources

Severity

2.7LOWNVD

GHSA5.3OSV5.3

EPSS

0.0%

top 99.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ruby-lang URI Debian Ruby2.7 Debian Ruby3.1 +6 more

Timeline

PublishedDec 30

Latest updateMar 31

Description

URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages10 packages

▶NVDruby-lang/uri0.13.0 — 0.13.3+2

▶RubyGemsruby-lang/uri0.13.0 — 0.13.3+2

▶debiandebian/ruby2.7

▶debiandebian/ruby3.1

▶debiandebian/ruby3.3

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2025-61594: URI is a module providing classes to handle Uniform Resource Identifiers↗2025-12-30

▶

OSV

URI Credential Leakage Bypass over CVE-2025-27221↗2025-12-30

▶

GHSA

URI Credential Leakage Bypass over CVE-2025-27221↗2025-12-30

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerability↗2026-03-31

▶

Red Hat

uri: URI module: Credential exposure via URI + operator↗2025-12-30

▶

Microsoft

URI Credential Leakage Bypass over CVE-2025-27221↗2025-12-09

▶

Debian

CVE-2025-61594: ruby2.7 - URI is a module providing classes to handle Uniform Resource Identifiers. In ver...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-61594 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-10990 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶