CVE-2025-61594
Credential Exposure via URI Concatenation Bypass in URI Module
Publication date: 2025-12-30
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ruby-lang | uri | to 0.12.5 (exc) |
| ruby-lang | uri | From 0.13.0 (inc) to 0.13.3 (exc) |
| ruby-lang | uri | From 1.0.0 (inc) to 1.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-212 | The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61594 is a vulnerability in the Ruby URI library where using the `+` operator to combine URIs can cause sensitive information, such as passwords from the original URI, to be leaked. This happens because the handling of userinfo components (user and password) was improper, allowing credential exposure by bypassing previous fixes. The vulnerability violates RFC3986 by exposing user credentials unintentionally. The issue arises from how userinfo is assigned and merged in URI objects, where passwords could be retained or leaked when URIs are combined or modified. The patch fixes this by ensuring userinfo components are managed together, clearing passwords when users change, and resetting userinfo when host or port changes, thus preventing credential leakage. [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can lead to unintended exposure of sensitive credentials, such as passwords embedded in URIs, when applications use the Ruby URI library to combine or manipulate URIs. If exploited, it could cause leakage of user credentials to unauthorized parties, potentially compromising user accounts or services that rely on these URIs for authentication. This can undermine the security of applications relying on the URI library for handling URIs, especially when concatenating or merging URIs using the `+` operator. [1, 2, 3, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability affects compliance by causing unintended exposure of sensitive user credentials, which can be considered personal data under regulations like GDPR and protected health information under HIPAA. Leakage of such credentials violates data protection principles requiring confidentiality and secure handling of personal information. Therefore, applications affected by this vulnerability may fail to meet security requirements mandated by these standards, potentially leading to compliance violations and associated legal or regulatory consequences. [4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Ruby URI gem version is vulnerable (versions prior to 0.12.5, 0.13.3, and 1.0.4). Additionally, you can audit your codebase or logs for usage of the `+` operator to combine URIs where userinfo (user and password) might be improperly merged or leaked. There are no specific commands provided in the resources, but you can check the installed URI gem version using RubyGems commands like `gem list uri` or inspect your application's dependency files (e.g., Gemfile.lock). Also, reviewing your URI handling code for concatenation or merging of URIs that might expose credentials is recommended. [4]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Ruby URI gem to a fixed version: 0.12.5, 0.13.3, 1.0.4, or later. These versions include patches that properly handle userinfo components in URIs, preventing credential leakage when combining URIs. Upgrading ensures that the fixes described in the patches (such as clearing passwords when users change, resetting userinfo on host or port changes, and improved URI merge logic) are applied, thus mitigating the vulnerability. [4]