CVE-2025-27221
LOWDescription
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| ruby-lang | uri |
| ruby-lang | uri |
| ruby-lang | uri |
| ruby-lang | uri |
References
Frequently Asked Questions
What is CVE-2025-27221? +
How severe is CVE-2025-27221? +
What products are affected by CVE-2025-27221? +
How do I check if I'm vulnerable to CVE-2025-27221? +
Related Vulnerabilities
Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions …
kube-audit-rest is a simple logger of mutation/creation requests to the k8s api. If the "full-elastic-stack" example vector configuration was used …
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to …
A low privileged remote attacker can gain the root password due to improper removal of sensitive information before storage or …
In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.
URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 …