CVE-2025-61594
Unknown Unknown - Not Provided
Credential Exposure via URI Concatenation Bypass in URI Module

Publication date: 2025-12-30

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2025-12-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61594
EUVD
EUVD-2025-205858
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
ruby-lang uri to 0.12.5 (exc)
ruby-lang uri From 0.13.0 (inc) to 0.13.3 (exc)
ruby-lang uri From 1.0.0 (inc) to 1.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-212 The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-61594 is a vulnerability in the Ruby URI library where using the `+` operator to combine URIs can cause sensitive information, such as passwords from the original URI, to be leaked. This happens because the handling of userinfo components (user and password) was improper, allowing credential exposure by bypassing previous fixes. The vulnerability violates RFC3986 by exposing user credentials unintentionally. The issue arises from how userinfo is assigned and merged in URI objects, where passwords could be retained or leaked when URIs are combined or modified. The patch fixes this by ensuring userinfo components are managed together, clearing passwords when users change, and resetting userinfo when host or port changes, thus preventing credential leakage. [1, 2, 3, 4]

Impact Analysis

This vulnerability can lead to unintended exposure of sensitive credentials, such as passwords embedded in URIs, when applications use the Ruby URI library to combine or manipulate URIs. If exploited, it could cause leakage of user credentials to unauthorized parties, potentially compromising user accounts or services that rely on these URIs for authentication. This can undermine the security of applications relying on the URI library for handling URIs, especially when concatenating or merging URIs using the `+` operator. [1, 2, 3, 4]

Compliance Impact

This vulnerability affects compliance by causing unintended exposure of sensitive user credentials, which can be considered personal data under regulations like GDPR and protected health information under HIPAA. Leakage of such credentials violates data protection principles requiring confidentiality and secure handling of personal information. Therefore, applications affected by this vulnerability may fail to meet security requirements mandated by these standards, potentially leading to compliance violations and associated legal or regulatory consequences. [4]

Detection Guidance

This vulnerability can be detected by checking if your Ruby URI gem version is vulnerable (versions prior to 0.12.5, 0.13.3, and 1.0.4). Additionally, you can audit your codebase or logs for usage of the `+` operator to combine URIs where userinfo (user and password) might be improperly merged or leaked. There are no specific commands provided in the resources, but you can check the installed URI gem version using RubyGems commands like `gem list uri` or inspect your application's dependency files (e.g., Gemfile.lock). Also, reviewing your URI handling code for concatenation or merging of URIs that might expose credentials is recommended. [4]

Mitigation Strategies

The immediate mitigation step is to upgrade the Ruby URI gem to a fixed version: 0.12.5, 0.13.3, 1.0.4, or later. These versions include patches that properly handle userinfo components in URIs, preventing credential leakage when combining URIs. Upgrading ensures that the fixes described in the patches (such as clearing passwords when users change, resetting userinfo on host or port changes, and improved URI merge logic) are applied, thus mitigating the vulnerability. [4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61594. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart