VulnerableCode Package Details - pkg:gem/uri@0.12.4

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-ug6n-hxax-xfgp	URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+ There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem. ## Details The methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur. Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later. ## Affected versions uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2. ## Credits Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability.	CVE-2025-27221 GHSA-22h5-pq3x-2gf2

Vulnerability

Summary

Aliases

VCID-ug6n-hxax-xfgp

URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+ There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem. ## Details The methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur. Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later. ## Affected versions uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2. ## Credits Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability.

CVE-2025-27221
GHSA-22h5-pq3x-2gf2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-06T17:39:07.974682+00:00	GHSA Importer	Fixing	VCID-ug6n-hxax-xfgp	https://github.com/advisories/GHSA-22h5-pq3x-2gf2	37.0.0
2025-07-03T19:22:10.733185+00:00	GitLab Importer	Fixing	VCID-ug6n-hxax-xfgp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/uri/CVE-2025-27221.yml	37.0.0
2025-07-03T13:57:46.304903+00:00	GitLab Importer	Fixing	VCID-ug6n-hxax-xfgp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/uri/CVE-2025-27221.yml	36.1.3
2025-07-01T12:12:45.195373+00:00	GithubOSV Importer	Fixing	VCID-ug6n-hxax-xfgp	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-22h5-pq3x-2gf2/GHSA-22h5-pq3x-2gf2.json	36.1.3