UBUNTU-CVE-2025-61594

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-61594

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-61594.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-61594

Upstream

CVE-2025-61594

Downstream

USN-8137-1

Related

USN-8137-1

Published

2025-12-30T21:15:00Z

Modified

2026-05-20T16:23:38.437858705Z

Severity

2.1 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator
7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Ubuntu - low

Summary

[none]

Details

URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.

References

Affected packages

Ubuntu:22.04:LTS

ruby3.0

Package

Name: ruby3.0
Purl: pkg:deb/ubuntu/ruby3.0?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.2-7ubuntu2.12

Affected versions

3.*

3.0.2-5ubuntu1

3.0.2-7

3.0.2-7ubuntu2

3.0.2-7ubuntu2.1

3.0.2-7ubuntu2.2

3.0.2-7ubuntu2.3

3.0.2-7ubuntu2.4

3.0.2-7ubuntu2.5

3.0.2-7ubuntu2.6

3.0.2-7ubuntu2.7

3.0.2-7ubuntu2.8

3.0.2-7ubuntu2.10

3.0.2-7ubuntu2.11

Ecosystem specific

{
    "priority_reason": "This is a low severity issue",
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "3.0.2-7ubuntu2.12",
            "binary_name": "libruby3.0"
        },
        {
            "binary_version": "3.0.2-7ubuntu2.12",
            "binary_name": "ruby3.0"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-61594.json"

Ubuntu:24.04:LTS

ruby3.2

Package

Name: ruby3.2
Purl: pkg:deb/ubuntu/ruby3.2?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.3-1ubuntu0.24.04.7

Affected versions

3.*

3.2.3-1

3.2.3-1build2

3.2.3-1build3

3.2.3-1ubuntu0.24.04.1

3.2.3-1ubuntu0.24.04.3

3.2.3-1ubuntu0.24.04.5

3.2.3-1ubuntu0.24.04.6

Ecosystem specific

{
    "priority_reason": "This is a low severity issue",
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "3.2.3-1ubuntu0.24.04.7",
            "binary_name": "libruby3.2"
        },
        {
            "binary_version": "3.2.3-1ubuntu0.24.04.7",
            "binary_name": "ruby3.2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-61594.json"

Ubuntu:25.10

ruby3.3

Package

Name: ruby3.3
Purl: pkg:deb/ubuntu/ruby3.3?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.8-2ubuntu2.1

Affected versions

3.*

3.3.7-1ubuntu2

3.3.8-2ubuntu1

3.3.8-2ubuntu2

Ecosystem specific

{
    "priority_reason": "This is a low severity issue",
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "3.3.8-2ubuntu2.1",
            "binary_name": "libruby3.3"
        },
        {
            "binary_version": "3.3.8-2ubuntu2.1",
            "binary_name": "ruby3.3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-61594.json"

Ubuntu:26.04:LTS

ruby3.3

Package

Name: ruby3.3
Purl: pkg:deb/ubuntu/ruby3.3?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.3.8-2ubuntu2

3.3.8-2ubuntu3

Ecosystem specific

{
    "priority_reason": "This is a low severity issue",
    "binaries": [
        {
            "binary_version": "3.3.8-2ubuntu3",
            "binary_name": "libruby3.3"
        },
        {
            "binary_version": "3.3.8-2ubuntu3",
            "binary_name": "ruby3.3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-61594.json"

Ubuntu:Pro:16.04:LTS

ruby2.3

Package

Name: ruby2.3
Purl: pkg:deb/ubuntu/ruby2.3?arch=source&distro=esm-infra%2Fxenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.1-2~ubuntu16.04.16+esm12

Affected versions

2.*

2.3.0-1

2.3.0-2

2.3.0-4ubuntu2

2.3.0-4ubuntu3

2.3.0-5ubuntu1

2.3.1-2~16.04

2.3.1-2~16.04.2

2.3.1-2~16.04.4

2.3.1-2~16.04.5

2.3.1-2~16.04.6

2.3.1-2~16.04.7

2.3.1-2~16.04.9

2.3.1-2~16.04.10

2.3.1-2~16.04.11

2.3.1-2~16.04.12

2.3.1-2~ubuntu16.04.13

2.3.1-2~ubuntu16.04.14

2.3.1-2~ubuntu16.04.15

2.3.1-2~ubuntu16.04.16

2.3.1-2~ubuntu16.04.16+esm1

2.3.1-2~ubuntu16.04.16+esm2

2.3.1-2~ubuntu16.04.16+esm3

2.3.1-2~ubuntu16.04.16+esm4

2.3.1-2~ubuntu16.04.16+esm5

2.3.1-2~ubuntu16.04.16+esm6

2.3.1-2~ubuntu16.04.16+esm7

2.3.1-2~ubuntu16.04.16+esm8

2.3.1-2~ubuntu16.04.16+esm9

2.3.1-2~ubuntu16.04.16+esm10

2.3.1-2~ubuntu16.04.16+esm11

Ecosystem specific

{
    "priority_reason": "This is a low severity issue",
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "2.3.1-2~ubuntu16.04.16+esm12",
            "binary_name": "libruby2.3"
        },
        {
            "binary_version": "2.3.1-2~ubuntu16.04.16+esm12",
            "binary_name": "ruby2.3"
        },
        {
            "binary_version": "2.3.1-2~ubuntu16.04.16+esm12",
            "binary_name": "ruby2.3-tcltk"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-61594.json"

Ubuntu:Pro:18.04:LTS

ruby2.5

Package

Name: ruby2.5
Purl: pkg:deb/ubuntu/ruby2.5?arch=source&distro=esm-infra%2Fbionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.5.1-1ubuntu1.16+esm7

Affected versions

2.*

2.5.0~preview1-1ubuntu2

2.5.0-4ubuntu1

2.5.0-4ubuntu4

2.5.0-5ubuntu1

2.5.0-6ubuntu1

2.5.1-1ubuntu1

2.5.1-1ubuntu1.1

2.5.1-1ubuntu1.2

2.5.1-1ubuntu1.4

2.5.1-1ubuntu1.5

2.5.1-1ubuntu1.6

2.5.1-1ubuntu1.7

2.5.1-1ubuntu1.8

2.5.1-1ubuntu1.9

2.5.1-1ubuntu1.10

2.5.1-1ubuntu1.11

2.5.1-1ubuntu1.12

2.5.1-1ubuntu1.13

2.5.1-1ubuntu1.14

2.5.1-1ubuntu1.15

2.5.1-1ubuntu1.16

2.5.1-1ubuntu1.16+esm1

2.5.1-1ubuntu1.16+esm3

2.5.1-1ubuntu1.16+esm4

2.5.1-1ubuntu1.16+esm5

2.5.1-1ubuntu1.16+esm6

Ecosystem specific

{
    "priority_reason": "This is a low severity issue",
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "2.5.1-1ubuntu1.16+esm7",
            "binary_name": "libruby2.5"
        },
        {
            "binary_version": "2.5.1-1ubuntu1.16+esm7",
            "binary_name": "ruby2.5"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-61594.json"

Ubuntu:Pro:20.04:LTS

ruby2.7

Package

Name: ruby2.7
Purl: pkg:deb/ubuntu/ruby2.7?arch=source&distro=esm-infra%2Ffocal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.0-5ubuntu1.18+esm4

Affected versions

2.*

2.7.0-1

2.7.0-2

2.7.0-3

2.7.0-4

2.7.0-4ubuntu1

2.7.0-5ubuntu1

2.7.0-5ubuntu1.1

2.7.0-5ubuntu1.2

2.7.0-5ubuntu1.3

2.7.0-5ubuntu1.4

2.7.0-5ubuntu1.5

2.7.0-5ubuntu1.6

2.7.0-5ubuntu1.7

2.7.0-5ubuntu1.8

2.7.0-5ubuntu1.9

2.7.0-5ubuntu1.10

2.7.0-5ubuntu1.11

2.7.0-5ubuntu1.12

2.7.0-5ubuntu1.13

2.7.0-5ubuntu1.14

2.7.0-5ubuntu1.15

2.7.0-5ubuntu1.16

2.7.0-5ubuntu1.17

2.7.0-5ubuntu1.18

2.7.0-5ubuntu1.18+esm1

2.7.0-5ubuntu1.18+esm3

Ecosystem specific

{
    "priority_reason": "This is a low severity issue",
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "2.7.0-5ubuntu1.18+esm4",
            "binary_name": "libruby2.7"
        },
        {
            "binary_version": "2.7.0-5ubuntu1.18+esm4",
            "binary_name": "ruby2.7"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-61594.json"