CVE-2025-27221: userinfo leakage in URI#join, URI#merge and URI#+. There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem. Details The methods URI#join, URI#merge, and URI#+ retained userinfo, such as user:password, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur. Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=87f29a3d1ca1dba2bb7c0f50d02b304bcdfd4f16 commit 87f29a3d1ca1dba2bb7c0f50d02b304bcdfd4f16 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2025-02-27 07:22:33 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2025-02-27 07:23:00 +0000 dev-ruby/uri: add 1.0.3 Bug: https://bugs.gentoo.org/950296 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-ruby/uri/Manifest | 1 + dev-ruby/uri/uri-1.0.3.ebuild | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a58ae91be6f80627b5dfcd74c92a782217d1912e commit a58ae91be6f80627b5dfcd74c92a782217d1912e Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2025-03-23 14:01:54 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2025-03-23 14:04:57 +0000 dev-ruby/uri: drop 1.0.1, 1.0.2 Bug: https://bugs.gentoo.org/950296 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-ruby/uri/Manifest | 2 -- dev-ruby/uri/uri-1.0.1.ebuild | 26 -------------------------- dev-ruby/uri/uri-1.0.2.ebuild | 28 ---------------------------- 3 files changed, 56 deletions(-)
