URI gem <=1.0.2 creds leak after host change
CVE-2025-27221 Published on March 4, 2025
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
Weakness Type
Improper Removal of Sensitive Information Before Storage or Transfer
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
Products Associated with CVE-2025-27221
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-27221 are published in these products:
Affected Versions
ruby-lang URI:- Before 0.11.3 is affected.
- Version 0.12.0 and below 0.12.4 is affected.
- Version 0.13.0 and below 0.13.2 is affected.
- Version 1.0.0 and below 1.0.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.