The Clingy Credential: Ruby URI Bypass (CVE-2025-61594)
Jan 1, 2026·5 min read·1 visit
Executive Summary (TL;DR)
Ruby's `uri` gem failed to scrub credentials (username/password) when merging URIs or changing hosts. If your code modifies a URL containing secrets (e.g., `http://admin:pass@internal`), it might accidentally carry those secrets over to the new destination (e.g., `http://admin:pass@public`), leaking credentials to external servers.
A deep dive into a credential leakage vulnerability in Ruby's standard `uri` gem, where updating a URI's host or port fails to clear sensitive user information, effectively bypassing the fix for CVE-2025-27221.
Official Patches
Fix Analysis (2)
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:UAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
uri Ruby | < 0.12.5 | 0.12.5 |
uri Ruby | 0.13.0 - 0.13.2 | 0.13.3 |
uri Ruby | 1.0.0 - 1.0.3 | 1.0.4 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-212 |
| Attack Vector | Network |
| CVSS Score | 2.7 (Low) |
| CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U |
| Impact | Credential Leakage |
| EPSS Score | 0.00045 |
MITRE ATT&CK Mapping
The product stores, transfers, or otherwise manages sensitive information but does not clear or overwrite that information when it is no longer needed or when the context changes.