CVE-2025-27221: In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication...

3.2 CVSS

Description

In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.

Classification

CVE ID: CVE-2025-27221

CVSS Base Severity: LOW

CVSS Base Score: 3.2

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Problem Types

CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer

Affected Products

Vendor: ruby-lang

Product: URI

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.25% (scored less or equal to compared to others)

EPSS Date: 2025-04-01 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27221
https://hackerone.com/reports/2957667
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml

Timeline

2025-03-03 23:15:29 UTC
Github Advisory Database (RubyGems)

[uri] URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+
2025-03-04 00:40:18 UTC
CVE

In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication...