CVE-2025-27221

low-risk

Published 2025-03-04

In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.

Do I need to act?

0.14% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.2/10 Low

LOCAL / HIGH complexity

Affected Products (1)

Uri

Affected Vendors

Ruby-Lang

References (4)

Third Party Advisory https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221....

Permissions Required https://hackerone.com/reports/2957667

https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html

https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html

/ 100

low-risk

Severity 8/34 · Low

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal