Sign In

CVE-2025-61594

ADVISORY - github

Summary

Impact

In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials.

When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.

The vulnerability affects the uri gem bundled with the following Ruby series:

  • 0.12.4 and earlier (bundled in Ruby 3.2 series)
  • 0.13.2 and earlier (bundled in Ruby 3.3 series)
  • 1.0.3 and earlier (bundled in Ruby 3.4 series)

Patches

Upgrade to 0.12.5, 0.13.3 or 1.0.4

References

EPSS Score: 0.00055 (0.173)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

ADVISORY - github

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

ADVISORY - redhat

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in