CVE-2025-61594
URI Credential Leakage Bypass over CVE-2025-27221
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
3th
URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.
| CWE | CWE-200 CWE-212 |
| Vendor | ruby |
| Product | uri |
| Ecosystems | |
| Industries | Technology |
| Published | Dec 30, 2025 |
| Last Updated | Apr 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for ruby uri
Be the first to know when new unknown vulnerabilities affecting ruby uri are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
ruby / uri
< 0.12.5 >= 0.13.0, < 0.13.3 >= 1.0.0, < 1.0.4