← back
CVE-2025-27221

CVE-2025-27221

CVSS 3.2 LOWEPSS 0.5%CWE-212
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
Affected products
ruby-lang · URI

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.ymlhttps://hackerone.com/reports/2957667https://lists.debian.org/debian-lts-announce/2025/03/msg00008.htmlhttps://lists.debian.org/debian-lts-announce/2025/05/msg00015.html