GHSA-22h5-pq3x-2gf2

Suggest an improvement
Source
https://github.com/advisories/GHSA-22h5-pq3x-2gf2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-22h5-pq3x-2gf2/GHSA-22h5-pq3x-2gf2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-22h5-pq3x-2gf2
Aliases
Related
Published
2025-03-03T22:07:53Z
Modified
2025-03-04T16:15:09.070798Z
Severity
  • 3.2 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator
Summary
URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+
Details

There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem.

Details

The methods URI#join, URI#merge, and URI#+ retained userinfo, such as user:password, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur.

Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later.

Affected versions

uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2.

Credits

Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability.

Database specific
{
    "nvd_published_at": "2025-03-04T00:15:31Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-212"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-03T22:07:53Z"
}
References

Affected packages

RubyGems / uri

Package

Name
uri
Purl
pkg:gem/uri

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.11.3

Affected versions

0.*

0.10.0
0.10.0.1
0.10.0.2
0.10.0.3
0.10.1
0.10.2
0.10.3
0.11.0
0.11.1
0.11.2

RubyGems / uri

Package

Name
uri
Purl
pkg:gem/uri

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.12.0
Fixed
0.12.4

Affected versions

0.*

0.12.0
0.12.1
0.12.2
0.12.3

RubyGems / uri

Package

Name
uri
Purl
pkg:gem/uri

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.13.0
Fixed
0.13.2

Affected versions

0.*

0.13.0
0.13.1

RubyGems / uri

Package

Name
uri
Purl
pkg:gem/uri

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.0.3

Affected versions

1.*

1.0.0
1.0.1
1.0.2