VulnerableCode Package Details - pkg:gem/uri@0.12.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-ug6n-hxax-xfgp Aliases: CVE-2025-27221 GHSA-22h5-pq3x-2gf2	URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+ There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem. ## Details The methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur. Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later. ## Affected versions uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2. ## Credits Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability.	0.12.4 Affected by 0 other vulnerabilities. 0.13.2 Affected by 0 other vulnerabilities. 1.0.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-ug6n-hxax-xfgp
Aliases:
CVE-2025-27221
GHSA-22h5-pq3x-2gf2

URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+ There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem. ## Details The methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur. Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later. ## Affected versions uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2. ## Credits Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability.

0.12.4
Affected by 0 other vulnerabilities.

0.13.2
Affected by 0 other vulnerabilities.

1.0.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-xwax-7pq7-pbcy	A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.	CVE-2023-36617 GHSA-hww2-5g85-429m

Vulnerability

Summary

Aliases

VCID-xwax-7pq7-pbcy

A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.

CVE-2023-36617
GHSA-hww2-5g85-429m

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T19:22:10.726063+00:00	GitLab Importer	Affected by	VCID-ug6n-hxax-xfgp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/uri/CVE-2025-27221.yml	37.0.0
2025-07-03T16:53:15.864567+00:00	GHSA Importer	Fixing	VCID-xwax-7pq7-pbcy	https://github.com/advisories/GHSA-hww2-5g85-429m	37.0.0
2025-07-01T18:14:26.258801+00:00	GitLab Importer	Fixing	VCID-xwax-7pq7-pbcy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/uri/CVE-2023-36617.yml	36.1.3
2025-07-01T12:16:00.404034+00:00	GithubOSV Importer	Fixing	VCID-xwax-7pq7-pbcy	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-hww2-5g85-429m/GHSA-hww2-5g85-429m.json	36.1.3