Add advisory for CVE-2025-61594 (URI Credential Leakage Bypass) for Ruby < 3.3.10 and < 3.4.7

hudakh · postmodern · commit 641db264b34b · 2025-11-03T22:10:41.000-08:00
diff --git a/rubies/ruby/CVE-2025-61594.yml b/rubies/ruby/CVE-2025-61594.yml
@@ -0,0 +1,18 @@
+---
+engine: ruby
+cve: 2025-61594
+url: https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/
+title: URI Credential Leakage Bypass
+date: 2025-10-07
+description: |
+  A vulnerability in the URI library bundled with Ruby allows sensitive user credentials
+  (such as usernames or passwords) in a URI to be unintentionally leaked when combining
+  URIs using the `+` operator. This issue bypasses the previous fix for CVE-2025-27221.
+
+  The issue affects Ruby's built-in URI implementation prior to Ruby 3.3.10 and 3.4.7.
+affected_versions:
+  - ">= 3.3.0, < 3.3.10"
+  - ">= 3.4.0, < 3.4.7"
+patched_versions:
+  - ">= 3.3.10"
+  - ">= 3.4.7"
