CVE-2023-28755

Summary: CVE-2023-28755 is a ReDoS vulnerability in Ruby’s URI parsing for the URI component, affecting Ruby versions up to 0.12.0 in the 0.x series and Ruby up to 3.2.1. The issue causes an abnormal increase in parsing time for certain invalid URLs, potentially leading to denial of service. Affe...

CVE-2023-36617

CVE-2023-36617 is a ReDoS in Ruby’s URI parser prior to 0.12.2, where invalid URLs containing specific characters trigger significantly longer parsing times via rfc2396_parser.rb and rfc3986_parser.rb. This stems from an incomplete fix related to CVE-2023-28755; 0.10.3 is also listed as a fixed v...

CVE-2025-27221

CVE-2025-27221 affects the Ruby URI module (URI.join, URI#merge, URI#+). The root issue is leakage of userinfo credentials when the host is changed, as userinfo is retained. This impacts versions of the URI gem prior to 1.0.3; the issue is fixed in 1.0.3 and later. If exploited, credential exposu...

CVE-2025-61594

The CVE concerns the URI Ruby module. In versions ≤0.12.4 (Ruby 3.2), ≤0.13.2 (Ruby 3.3), and ≤1.0.3 (Ruby 3.4), using the + operator to join URIs could leak passwords from the original URI, bypassing a prior fix for CVE-2025-27221 and exposing credentials. Mitigations are available in fixed rele...