3.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-27221

GHSA ID

GHSA-22h5-pq3x-2gf2

EPSS Score

0.03044%

CWE

CWE-200

Published

3/3/2025

Updated

3/4/2025

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-27221

CVE-2025-27221: URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+

There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem.

Details

The methods URI#join, URI#merge, and URI#+ retained userinfo, such as user:password, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur.

Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later.

Affected versions

uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2.

Credits

Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability.

(GitHub Advisory)

3.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-27221

GHSA ID

GHSA-22h5-pq3x-2gf2

EPSS Score

0.03044%

CWE

CWE-200

Published

3/3/2025

Updated

3/4/2025

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
uri	rubygems	< 0.11.3	0.11.3
uri	rubygems	>= 0.12.0, < 0.12.4	0.12.4
uri	rubygems	>= 0.13.0, < 0.13.2	0.13.2
uri	rubygems	>= 1.0.0, < 1.0.3	1.0.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly identifies URI#join, URI#merge, and URI#+ as the affected methods. These are instance methods of the URI::Generic class in Ruby's URI gem, as confirmed by:

The CVE's technical details describing host replacement without userinfo removal
The linked GitHub pull requests (e.g., ruby/uri#154) showing fixes applied to URI::Generic's merge/join logic
Ruby's URI module structure, where URI manipulation methods are defined in URI::Generic
The CWE-212 mapping (improper data removal) aligning with the failure to clear userinfo during URI operations

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**r* is * possi*ility *or us*rin*o l**k*** *y in t** uri **m. T*is vuln*r**ility **s ***n *ssi*n** t** *V* i**nti*i*r *V*-****-*****. W* r**omm*n* up*r**in* t** uri **m. ## **t*ils T** m*t*o*s `URI#join`, `URI#m*r**`, *n* `URI#+` r*t*in** us*rin*o

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s URI#join, URI#m*r**, *n* URI#+ *s t** *****t** m*t*o*s. T**s* *r* inst*n** m*t*o*s o* t** URI::**n*ri* *l*ss in Ru*y's URI **m, *s *on*irm** *y: *. T** *V*'s t***ni**l **t*ils **s*ri*in* *ost r*pl*

3.2

Basic Information

Concerned about an active attack path?

CVE-2025-27221: URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+

Details

Affected versions

Credits

3.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI