Home > Vulnerability Database > CVE-2025-27221

Mend.io Vulnerability Database

CVE-2025-27221

Good to know:

Date: March 2, 2025

In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.

Severity Score

3.2

Related Resources (12)

Url: https://www.cve.org/CVERecord?id=CVE-2025-27221

Url: https://hackerone.com/reports/2957667

Url: https://github.com/ruby/uri/pull/156

Url: https://github.com/ruby/uri/pull/157

Url: https://github.com/ruby/uri/pull/154

Url: https://github.com/ruby/uri/pull/155

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-27221

Url: https://github.com/ruby/uri

Url: https://www.ruby-lang.org/en/news/2025/02/26/security-advisories

Url: https://security-tracker.debian.org/tracker/CVE-2025-27221

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml

Url: https://www.mend.io/vulnerability-database/CVE-2025-27221

Severity Score

3.2

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Improper Removal of Sensitive Information Before Storage or Transfer

CWE-212

Top Fix

Upgrade Version

Upgrade to version uri - 0.13.2;uri - 1.0.3;uri - 0.12.4;uri - 0.11.3

Learn More

CVSS v3.1

Base Score:	3.2
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-27221

Good to know:

Date: March 2, 2025

Severity Score

Related Resources (12)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?