CVE-CVE-2025-27221 | LOW Severity | CVEDatabase.com

Description

In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.

CVSS Metrics

Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
Attack Vector: local
Complexity: high
Privileges: none
User Action: none
Scope: changed
Confidentiality: low
Integrity: none
Availability: none
Weaknesses: CWE-212CWE-212

Metadata

Primary Vendor: RUBY-LANG
Published: 3/4/2025
Last Modified: 11/3/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

ruby-lang : uriruby-lang : uriruby-lang : uriruby-lang : uri

AI-Powered Remediation

Generate remediation guidance or a C-suite brief for this vulnerability.

Executive Intelligence Brief

View on NIST NVD