ALPINE-CVE-2025-61594

See a problem?
Please try reporting it to the source first.

Source

https://security.alpinelinux.org/vuln/CVE-2025-61594

Import Source

https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2025-61594.json

JSON Data

https://api.osv.dev/v1/vulns/ALPINE-CVE-2025-61594

Upstream

CVE-2025-61594

Published

2025-12-30T21:15:43.893Z

Modified

2025-12-31T11:13:52.897578Z

Severity

2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.

References

https://security.alpinelinux.org/vuln/CVE-2025-61594

Affected packages

Alpine:v3.20 / ruby

Package

Name: ruby
Purl: pkg:apk/alpine/ruby?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.10-r0

Affected versions

3.*

3.3.3-r1

3.3.6-r0

3.3.8-r0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2025-61594.json"

Alpine:v3.20 / ruby

Package

Name: ruby
Purl: pkg:apk/alpine/ruby?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.10-r0

Affected versions

3.*

3.3.3-r1

3.3.6-r0

3.3.8-r0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2025-61594.json"

Alpine:v3.21 / ruby

Package

Name: ruby
Purl: pkg:apk/alpine/ruby?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.10-r0

Affected versions

3.*

3.3.3-r1

3.3.3-r2

3.3.6-r0

3.3.8-r0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2025-61594.json"

Alpine:v3.21 / ruby

Package

Name: ruby
Purl: pkg:apk/alpine/ruby?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.10-r0

Affected versions

3.*

3.3.3-r1

3.3.3-r2

3.3.6-r0

3.3.8-r0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2025-61594.json"

Alpine:v3.23 / ruby

Package

Name: ruby
Purl: pkg:apk/alpine/ruby?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.7-r0

Affected versions

3.*

3.3.3-r1

3.3.3-r2

3.3.6-r0

3.4.1-r0

3.4.3-r0

3.4.3-r1

3.4.4-r0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2025-61594.json"