Uri@* Security Vulnerabilities and Issues — Uri@* CVE List

Ruby-langUri*

3 matches found

CVE•added 2023/06/29 12:0 a.m.•474 views

CVE-2023-36617

CVE-2023-36617 is a ReDoS in Ruby’s URI parser prior to 0.12.2, where invalid URLs containing specific characters trigger significantly longer parsing times via rfc2396_parser.rb and rfc3986_parser.rb. This stems from an incomplete fix related to CVE-2023-28755; 0.10.3 is also listed as a fixed v...

5.3CVSS5.8AI score0.01533EPSS

CVE•added 2025/03/03 12:0 a.m.•306 views

CVE-2025-27221

CVE-2025-27221 affects the Ruby URI module (URI.join, URI#merge, URI#+). The root issue is leakage of userinfo credentials when the host is changed, as userinfo is retained. This impacts versions of the URI gem prior to 1.0.3; the issue is fixed in 1.0.3 and later. If exploited, credential exposu...

5.3CVSS4.3AI score0.00472EPSS

CVE•added 2025/12/30 9:3 p.m.•50 views

CVE-2025-61594

The CVE concerns the URI Ruby module. In versions ≤0.12.4 (Ruby 3.2), ≤0.13.2 (Ruby 3.3), and ≤1.0.3 (Ruby 3.4), using the + operator to join URIs could leak passwords from the original URI, bypassing a prior fix for CVE-2025-27221 and exposing credentials. Mitigations are available in fixed rele...

7.5CVSS6.5AI score0.0051EPSS