QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-61594

Back to search

CVE-2025-61594

Published: Dec 30, 2025

Modified: Apr 16, 2026

PUBLISHED

Description

URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.

VendorProductVersions

ruby

uri

affected
< 0.12.5
affected
>= 0.13.0, < 0.13.3
affected
>= 1.0.0, < 1.0.4

Weaknesses (CWE)

CWE-200
CWE-212

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now