CVE-2025-27221
ADVISORY - githubSummary
There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem.
Details
The methods URI#join, URI#merge, and URI#+ retained userinfo, such as user:password, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur.
Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later.
Affected versions
uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2.
Credits
Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability.
Common Weakness Enumeration (CWE)
Improper Removal of Sensitive Information Before Storage or Transfer
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Exposure of Sensitive Information to an Unauthorized Actor
Improper Removal of Sensitive Information Before Storage or Transfer
OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
Improper Removal of Sensitive Information Before Storage or Transfer
GitHub
CVSS SCORE
2.1low| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| uri | gem | - | - | <0.11.3 | 0.11.3 |
| uri | gem | - | - | >=0.12.0,<0.12.4 | 0.12.4 |
| uri | gem | - | - | >=0.13.0,<0.13.2 | 0.13.2 |
| uri | gem | - | - | >=1.0.0,<1.0.3 | 1.0.3 |
CVSS:4 Severity and metrics
The CVSS metrics represent different qualitative aspects of a vulnerability that impact the overall score, as defined by the CVSS Specification.
The vulnerable component is not bound to the network stack and the attacker's path is via read/write/execute capabilities. Either: The attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.
The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack. These include: A race condition must be won to successfully exploit the vulnerability. The successfulness of the attack is conditioned on execution conditions that are not under full control of the attacker. The attack may need to be launched multiple times against a single target before being successful. Network injection. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim (e.g. vulnerabilities requiring an on-path attacker).
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges.
There is no loss of confidentiality within the Vulnerable System.
There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System.
There is no loss of integrity within the Vulnerable System.
There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System.
There is no impact to availability within the Vulnerable System.
There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System.
NIST
1.4
CVSS SCORE
3.2lowDebian
-
Ubuntu
3.9
CVSS SCORE
5.3mediumAlma
-
CVSS SCORE
N/AmediumAlma
-
CVSS SCORE
N/AmediumAmazon
-
CVSS SCORE
N/AmediumRed Hat
1.4
CVSS SCORE
3.2lowRocky
-
CVSS SCORE
N/AlowRocky
-
CVSS SCORE
N/AlowRocky
-
CVSS SCORE
N/AlowRocky
-
CVSS SCORE
N/AlowRocky
-
CVSS SCORE
N/AlowOracle
-
CVSS SCORE
N/AmediumOracle
-
CVSS SCORE
N/AmediumOracle
-
CVSS SCORE
N/AmediumOracle
-
CVSS SCORE
N/AmediumOracle
-
CVSS SCORE
N/AmediumChainguard
CGA-6628-mjw3-h54f
-
Chainguard
CGA-6qhg-6mx5-8g9x
-
Chainguard
CGA-79mj-jx8g-53m5
-
Chainguard
CGA-8mwg-56v4-76vr
-
Chainguard
CGA-9pw5-qrx9-h723
-
Chainguard
CGA-gmc6-8f4h-m7wq
-
Chainguard
CGA-h2vx-8jcv-q42j
-
Chainguard
CGA-h569-4h67-4cxv
-
Chainguard
CGA-hg25-58p6-ch23
-
Chainguard
CGA-mw49-rqc5-hg65
-
Chainguard
CGA-pqqp-m4px-prpq
-
Chainguard
CGA-rjhg-f5vr-33f2
-
Chainguard
CGA-wmmg-78p2-q8cf
-
Photon
CVE-2025-27221
-
CVSS SCORE
5.3mediumminimos
MINI-6c4r-w2x8-j455
-
minimos
MINI-6h56-9hp5-pv35
-
minimos
MINI-99gx-v4vj-qrx8
-
minimos
MINI-9x5x-9qgw-wrhq
-
minimos
MINI-fm47-8mvq-9f46
-
minimos
MINI-g2r5-q7w6-mmf2
-
minimos
MINI-g36m-x3vr-xg5w
-
minimos
MINI-gfcv-pr58-vg2w
-
minimos
MINI-h375-x4hx-vg53
-
minimos
MINI-q6qw-jj6h-f3h9
-
minimos
MINI-wp63-cqhf-vf9g
-
minimos
MINI-wv4q-r7rh-gwrf
-
minimos
MINI-x3ch-cgwc-f4m9
-
minimos
MINI-xqqg-375w-hwcg
-