VulnerableCode Package Details - pkg:rpm/redhat/ruby@3.3.10-11?arch=el10

Search for packages

Vulnerability	Summary	Fixed by
VCID-nw8a-e25n-mbgs Aliases: CVE-2025-61594 GHSA-j4pr-3wm6-xx2r	URI Credential Leakage Bypass over CVE-2025-27221 In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. The vulnerability affects the `uri` gem bundled with the following Ruby series: * 0.12.4 and earlier (bundled in Ruby 3.2 series) * 0.13.2 and earlier (bundled in Ruby 3.3 series) * 1.0.3 and earlier (bundled in Ruby 3.4 series)	There are no reported fixed by versions.
VCID-trka-k7zz-bkh3 Aliases: CVE-2025-58767 GHSA-c2f4-jgmc-q2r5	REXML has DoS condition when parsing malformed XML file The REXML gems from 3.3.3 to 3.4.1 have a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.	There are no reported fixed by versions.
VCID-wsss-kt87-2qdv Aliases: CVE-2025-24294 GHSA-xh69-987w-hrp8	resolv vulnerable to DoS via insufficient DNS domain name length validation A denial of service vulnerability has been discovered in the resolv gem bundled with Ruby. ## Details The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name. This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition. ## Affected Version The vulnerability affects the resolv gem bundled with the following Ruby series: * Ruby 3.2 series: resolv version 0.2.2 and earlier * Ruby 3.3 series: resolv version 0.3.0 * Ruby 3.4 series: resolv version 0.6.1 and earlier ## Credits Thanks to Manu for discovering this issue. ## History Originally published at 2025-07-08 07:00:00 (UTC)	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-nw8a-e25n-mbgs
Aliases:
CVE-2025-61594
GHSA-j4pr-3wm6-xx2r

URI Credential Leakage Bypass over CVE-2025-27221 In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. The vulnerability affects the `uri` gem bundled with the following Ruby series: * 0.12.4 and earlier (bundled in Ruby 3.2 series) * 0.13.2 and earlier (bundled in Ruby 3.3 series) * 1.0.3 and earlier (bundled in Ruby 3.4 series)

There are no reported fixed by versions.

VCID-trka-k7zz-bkh3
Aliases:
CVE-2025-58767
GHSA-c2f4-jgmc-q2r5

REXML has DoS condition when parsing malformed XML file The REXML gems from 3.3.3 to 3.4.1 have a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

There are no reported fixed by versions.

VCID-wsss-kt87-2qdv
Aliases:
CVE-2025-24294
GHSA-xh69-987w-hrp8

resolv vulnerable to DoS via insufficient DNS domain name length validation A denial of service vulnerability has been discovered in the resolv gem bundled with Ruby. ## Details The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name. This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition. ## Affected Version The vulnerability affects the resolv gem bundled with the following Ruby series: * Ruby 3.2 series: resolv version 0.2.2 and earlier * Ruby 3.3 series: resolv version 0.3.0 * Ruby 3.4 series: resolv version 0.6.1 and earlier ## Credits Thanks to Manu for discovering this issue. ## History Originally published at 2025-07-08 07:00:00 (UTC)

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:38:36.745728+00:00	RedHat Importer	Affected by	VCID-wsss-kt87-2qdv	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-24294.json	38.0.0
2026-04-01T13:36:41.819694+00:00	RedHat Importer	Affected by	VCID-trka-k7zz-bkh3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58767.json	38.0.0
2026-04-01T13:33:05.133379+00:00	RedHat Importer	Affected by	VCID-nw8a-e25n-mbgs	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61594.json	38.0.0