Updated advisory posts against rubysec/ruby-advisory-db@190de50

jasnow · RubySec CI · commit 42c5eb990ccb · 2025-10-07T19:21:05.000Z
diff --git a/advisories/_posts/2025-10-07-CVE-2025-61594.md b/advisories/_posts/2025-10-07-CVE-2025-61594.md
@@ -0,0 +1,49 @@
+---
+layout: advisory
+title: 'CVE-2025-61594 (uri): CVE-2025-61594 - URI Credential Leakage Bypass over
+  CVE-2025-27221'
+comments: false
+categories:
+- uri
+advisory:
+  gem: uri
+  cve: 2025-61594
+  url: https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594
+  title: CVE-2025-61594 - URI Credential Leakage Bypass over CVE-2025-27221
+  date: 2025-10-07
+  description: |2
+
+    In affected URI version, a bypass exists for the fix to CVE-2025-27221
+    that can expose user credentials.
+
+    This vulnerability has been assigned the CVE identifier CVE-2025-61594.
+    We recommend upgrading the uri gem.
+
+    ## Details
+
+    When using the + operator to combine URIs, sensitive information
+    like passwords from the original URI can be leaked, violating
+    RFC3986 and making applications vulnerable to credential exposure.
+
+    Please update URI gem to version 0.12.5, 0.13.3, 1.0.4 or later.
+
+    ## Affected versions
+
+    uri gem versions < 0.12.5, 0.13.0 to 0.13.2 and 1.0.0 to 1.0.3.
+
+    ## Credits
+
+    Thanks to junfuchong (chongfujun) for discovering this issue.
+    Also thanks to nobu for additional fixes of this vulnerability.
+  patched_versions:
+  - "~> 0.12.5"
+  - "~> 0.13.3"
+  - ">= 1.0.4"
+  related:
+    url:
+    - https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594
+    - https://rubygems.org/gems/uri/versions/1.0.4
+    - https://rubygems.org/gems/uri/versions/0.13.3
+    - https://rubygems.org/gems/uri/versions/0.12.5
+    - https://github.com/ruby/uri
+---
