Vulnerability Database

320,115

Total vulnerabilities in the database

CVE-2025-27221

In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.

Published: Mar 3, 2025
Updated: Jan 26, 2026
CVE: CVE-2025-27221
GHSA: GHSA-22h5-pq3x-2gf2
Severity: Low
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

CWEs:

CWE-200
CWE-212

Affected Software
References

Software	From	Fixed in
uri	-	0.11.3
uri	0.12.0	0.12.4
uri	0.13.0	0.13.2
uri	1.0.0	1.0.3
ruby-lang / uri	-	0.11.3
ruby-lang / uri	0.12.0	0.12.4
ruby-lang / uri	0.13.0	0.13.2
ruby-lang / uri	1.0.0	1.0.3

https://github.com/ruby/uri/pull/154
https://github.com/ruby/uri/pull/155
https://github.com/ruby/uri/pull/156
https://github.com/ruby/uri/pull/157
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml
https://hackerone.com/reports/2957667
https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html
https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html
https://www.cve.org/CVERecord?id=CVE-2025-27221
https://www.ruby-lang.org/en/news/2025/02/26/security-advisories

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo