CVE-2025-61594
📋 TL;DR
This vulnerability in Ruby's URI module allows credential exposure when using the '+' operator to combine URIs. Sensitive information like passwords from the original URI can be leaked, violating RFC3986 standards. Applications using vulnerable versions of the URI gem for URI manipulation are affected.
💻 Affected Systems
- Ruby URI gem
📦 What is this software?
Uri by Ruby Lang
Uri by Ruby Lang
Uri by Ruby Lang
⚠️ Risk & Real-World Impact
Worst Case
User credentials (passwords) from URIs are exposed to unauthorized parties, potentially leading to account compromise and data breaches.
Likely Case
Accidental credential leakage during URI manipulation operations, exposing authentication information in logs, error messages, or to downstream systems.
If Mitigated
Limited exposure if applications don't use the '+' operator with URIs containing credentials or if credential URIs are sanitized before processing.
🎯 Exploit Status
Exploitation requires the application to use the vulnerable '+' operator with URIs containing credentials. No authentication needed if the application processes external URIs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.12.5, 0.13.3, or 1.0.4
Vendor Advisory: https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/
Restart Required: No
Instructions:
1. Update the URI gem to version 0.12.5, 0.13.3, or 1.0.4 depending on your current version. 2. Run 'bundle update uri' if using Bundler. 3. Verify the update with 'gem list uri'.
🔧 Temporary Workarounds
Avoid URI '+' operator with credentials
allManually sanitize URIs before using the '+' operator or avoid using the operator with URIs containing credentials.
🧯 If You Can't Patch
- Audit code for usage of URI '+' operator with URIs containing credentials and implement manual sanitization
- Implement input validation to reject or sanitize URIs containing credentials before processing
🔍 How to Verify
Check if Vulnerable:
Check your Gemfile.lock or run 'gem list uri' to see the installed version. If version is <0.12.5, 0.13.0-0.13.2, or 1.0.0-1.0.3, you are vulnerable.Check Version:
gem list uri | grep uriVerify Fix Applied:
After updating, run 'gem list uri' to confirm version is 0.12.5, 0.13.3, or 1.0.4. Test URI combination operations that previously contained credentials.📡 Detection & Monitoring
Log Indicators:
- Log entries showing URI manipulation with credential-containing URIs
- Unexpected credential exposure in application logs
Network Indicators:
- Credential leakage in HTTP requests or responses when URIs are processed
SIEM Query:
Search for patterns of URI manipulation operations in application logs, particularly those involving the '+' operator with authentication data.🔗 References
- https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902
- https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c
- https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml
- https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/
