CVE-2025-27221

NameCVE-2025-27221
DescriptionIn the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4082-1
Debian Bugs1103794

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby2.7 (PTS)bullseye2.7.4-1+deb11u1vulnerable
bullseye (security)2.7.4-1+deb11u5fixed
ruby3.1 (PTS)bookworm, bookworm (security)3.1.2-7+deb12u1vulnerable
ruby3.3 (PTS)sid, trixie3.3.8-1fixed
rubygems (PTS)bullseye3.2.5-2vulnerable
bookworm3.3.15-2vulnerable
sid, trixie3.6.7-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby2.7sourcebullseye2.7.4-1+deb11u5DLA-4082-1
ruby2.7source(unstable)(unfixed)
ruby3.1source(unstable)(unfixed)1103794
ruby3.3source(unstable)3.3.7-2
rubygemssource(unstable)3.6.6-1

Notes

[bookworm] - ruby3.1 <no-dsa> (Minor issue)
[bookworm] - rubygems <no-dsa> (Minor issue)
https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495 (v1.0.3)
https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5 (v1.0.3)
https://github.com/ruby/uri/pull/154
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml
Search for package or bug name: Reporting problems