VulnerableCode Package Details - pkg:maven/org.jruby/jruby@10.0.0.1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-cu1e-wg2d-e3ef	JRuby-OpenSSL has hostname verification disabled by default ### Summary When verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present _any_ valid cert for a completely different domain they own, and JRuby wouldn't complain. ### Details n/a ### PoC An example domain bad.substitutealert.com was created to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with `certificate verify failed (hostname mismatch)`, but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3 ```ruby require "net/http" require "openssl" uri = URI("https://bad.substitutealert.com/") https = Net::HTTP.new(uri.host, uri.port) https.use_ssl = true https.verify_mode = OpenSSL::SSL::VERIFY_PEER body = https.start { https.get(uri.request_uri).body } puts body ``` ### Impact Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely	CVE-2025-46551 GHSA-72qj-48g4-5xgx

Vulnerability

Summary

Aliases

VCID-cu1e-wg2d-e3ef

JRuby-OpenSSL has hostname verification disabled by default ### Summary When verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present _any_ valid cert for a completely different domain they own, and JRuby wouldn't complain. ### Details n/a ### PoC An example domain bad.substitutealert.com was created to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with `certificate verify failed (hostname mismatch)`, but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3 ```ruby require "net/http" require "openssl" uri = URI("https://bad.substitutealert.com/") https = Net::HTTP.new(uri.host, uri.port) https.use_ssl = true https.verify_mode = OpenSSL::SSL::VERIFY_PEER body = https.start { https.get(uri.request_uri).body } puts body ``` ### Impact Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely

CVE-2025-46551
GHSA-72qj-48g4-5xgx

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:28:24.409901+00:00	GitLab Importer	Fixing	VCID-cu1e-wg2d-e3ef	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jruby/jruby/CVE-2025-46551.yml	38.4.0
2026-04-16T03:23:48.679920+00:00	GHSA Importer	Fixing	VCID-cu1e-wg2d-e3ef	https://github.com/advisories/GHSA-72qj-48g4-5xgx	38.4.0
2026-04-12T00:48:00.372457+00:00	GitLab Importer	Fixing	VCID-cu1e-wg2d-e3ef	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jruby/jruby/CVE-2025-46551.yml	38.3.0
2026-04-11T14:52:33.771091+00:00	GHSA Importer	Fixing	VCID-cu1e-wg2d-e3ef	https://github.com/advisories/GHSA-72qj-48g4-5xgx	38.3.0
2026-04-03T00:56:00.496033+00:00	GitLab Importer	Fixing	VCID-cu1e-wg2d-e3ef	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jruby/jruby/CVE-2025-46551.yml	38.1.0
2026-04-02T15:32:16.211637+00:00	GHSA Importer	Fixing	VCID-cu1e-wg2d-e3ef	https://github.com/advisories/GHSA-72qj-48g4-5xgx	38.1.0
2026-04-02T12:41:23.066032+00:00	GitLab Importer	Fixing	VCID-cu1e-wg2d-e3ef	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jruby/jruby/CVE-2025-46551.yml	38.0.0
2026-04-01T12:56:57.546756+00:00	GithubOSV Importer	Fixing	VCID-cu1e-wg2d-e3ef	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-72qj-48g4-5xgx/GHSA-72qj-48g4-5xgx.json	38.0.0