Upstream information
CVE-2025-61594 at MITRE
Description
URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
CVSS v4 Scores
| CVSS detail | CNA (GitHub) |
|---|
| Base Score | 2.7 |
| Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| Attack Vector | Network |
| Attack Complexity | Low |
| Attack Requirements | None |
| Privileges Required | None |
| User Interaction | None |
| Vulnerable System Confidentiality Impact | Low |
| Vulnerable System Integrity Impact | None |
| Vulnerable System Availability Impact | None |
| Subsequent System Confidentiality Impact | None |
| Subsequent System Integrity Impact | None |
| Subsequent System Availability Impact | None |
| CVSSv4 Version | 4.0 |
SUSE Bugzilla entry:
1255833 [NEW]
No SUSE Security Announcements cross referenced.
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|
| SUSE Liberty Linux 8 | ruby >= 3.3.10-5.module+el8.10.0+23696+c42b0f57ruby-bundled-gems >= 3.3.10-5.module+el8.10.0+23696+c42b0f57ruby-default-gems >= 3.3.10-5.module+el8.10.0+23696+c42b0f57ruby-devel >= 3.3.10-5.module+el8.10.0+23696+c42b0f57ruby-doc >= 3.3.10-5.module+el8.10.0+23696+c42b0f57ruby-libs >= 3.3.10-5.module+el8.10.0+23696+c42b0f57rubygem-abrt >= 0.4.0-1.module+el8.10.0+21226+b78a28c4rubygem-abrt-doc >= 0.4.0-1.module+el8.10.0+21226+b78a28c4rubygem-bigdecimal >= 3.1.5-5.module+el8.10.0+23696+c42b0f57rubygem-bundler >= 2.5.22-5.module+el8.10.0+23696+c42b0f57rubygem-io-console >= 0.7.1-5.module+el8.10.0+23696+c42b0f57rubygem-irb >= 1.13.1-5.module+el8.10.0+23696+c42b0f57rubygem-json >= 2.7.2-5.module+el8.10.0+23696+c42b0f57rubygem-minitest >= 5.20.0-5.module+el8.10.0+23696+c42b0f57rubygem-mysql2 >= 0.5.5-1.module+el8.10.0+21226+b78a28c4rubygem-mysql2-doc >= 0.5.5-1.module+el8.10.0+21226+b78a28c4rubygem-pg >= 1.5.4-1.module+el8.10.0+21226+b78a28c4rubygem-pg-doc >= 1.5.4-1.module+el8.10.0+21226+b78a28c4rubygem-power_assert >= 2.0.3-5.module+el8.10.0+23696+c42b0f57rubygem-psych >= 5.1.2-5.module+el8.10.0+23696+c42b0f57rubygem-racc >= 1.7.3-5.module+el8.10.0+23696+c42b0f57rubygem-rake >= 13.1.0-5.module+el8.10.0+23696+c42b0f57rubygem-rbs >= 3.4.0-5.module+el8.10.0+23696+c42b0f57rubygem-rdoc >= 6.6.3.1-5.module+el8.10.0+23696+c42b0f57rubygem-rexml >= 3.4.4-5.module+el8.10.0+23696+c42b0f57rubygem-rss >= 0.3.1-5.module+el8.10.0+23696+c42b0f57rubygem-test-unit >= 3.6.1-5.module+el8.10.0+23696+c42b0f57rubygem-typeprof >= 0.21.9-5.module+el8.10.0+23696+c42b0f57rubygems >= 3.5.22-5.module+el8.10.0+23696+c42b0f57rubygems-devel >= 3.5.22-5.module+el8.10.0+23696+c42b0f57
| Patchnames:
RHSA-2025:23062 |
| openSUSE Tumbleweed | libruby3_4-3_4 >= 3.4.7-1.1ruby3.4 >= 3.4.7-1.1ruby3.4-devel >= 3.4.7-1.1ruby3.4-devel-extra >= 3.4.7-1.1ruby3.4-doc >= 3.4.7-1.1ruby3.4-doc-ri >= 3.4.7-1.1
| Patchnames:
openSUSE-Tumbleweed-2025-15614 |
SUSE Timeline for this CVE
CVE page created: Thu Oct 9 01:25:03 2025
CVE page last modified: Thu Jan 15 15:49:55 2026
