CVE-2025-61594

2.70.04%

The Clingy Credential: Ruby URI Bypass (CVE-2025-61594)

Amit Schendel

Senior Security Researcher

Jan 1, 2026·5 min read·2 visits

PoC Available

Executive Summary (TL;DR)

Ruby's `uri` gem failed to scrub credentials (username/password) when merging URIs or changing hosts. If your code modifies a URL containing secrets (e.g., `http://admin:pass@internal`), it might accidentally carry those secrets over to the new destination (e.g., `http://admin:pass@public`), leaking credentials to external servers.

A deep dive into a credential leakage vulnerability in Ruby's standard `uri` gem, where updating a URI's host or port fails to clear sensitive user information, effectively bypassing the fix for CVE-2025-27221.

Official Patches

RubyOfficial Ruby Security Advisory

Fix Analysis (2)

Technical Appendix

CVSS Score

2.7/ 10

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

EPSS Probability

0.04%

Top 90% most exploited

Affected Systems

Ruby applications using the `uri` gemWeb crawlers/scrapers written in RubyAPI clients constructing URLs dynamicallyProxy services implemented in Ruby

Affected Versions Detail

Product	Affected Versions	Fixed Version
uri Ruby	< 0.12.5	0.12.5
uri Ruby	0.13.0 - 0.13.2	0.13.3
uri Ruby	1.0.0 - 1.0.3	1.0.4

Attribute	Detail
CWE ID	CWE-212
Attack Vector	Network
CVSS Score	2.7 (Low)
CVSS Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
Impact	Credential Leakage
EPSS Score	0.00045

MITRE ATT&CK Mapping

T1552Unsecured Credentials

Credential Access

T1190Exploit Public-Facing Application

Initial Access

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

The product stores, transfers, or otherwise manages sensitive information but does not clear or overwrite that information when it is no longer needed or when the context changes.

Known Exploits & Detection

Internal PoCSimple Ruby script demonstrating URI merge credential persistence

Vulnerability Timeline

CVE Published

2025-02-14

Patched versions released

2025-02-14

CVE-2025-61594

2.70.04%

The Clingy Credential: Ruby URI Bypass (CVE-2025-61594)

Amit Schendel

Senior Security Researcher

Jan 1, 2026·5 min read·2 visits

PoC Available

Executive Summary (TL;DR)

Attack Flow Diagram

Official Patches

RubyOfficial Ruby Security Advisory

Fix Analysis (2)

Technical Appendix

CVSS Score

2.7/ 10

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

EPSS Probability

0.04%

Top 90% most exploited

Affected Systems

Ruby applications using the `uri` gemWeb crawlers/scrapers written in RubyAPI clients constructing URLs dynamicallyProxy services implemented in Ruby

Affected Versions Detail

Product	Affected Versions	Fixed Version
uri Ruby	< 0.12.5	0.12.5
uri Ruby	0.13.0 - 0.13.2	0.13.3
uri Ruby	1.0.0 - 1.0.3	1.0.4

Attribute	Detail
CWE ID	CWE-212
Attack Vector	Network
CVSS Score	2.7 (Low)
CVSS Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
Impact	Credential Leakage
EPSS Score	0.00045

MITRE ATT&CK Mapping

T1552Unsecured Credentials

Credential Access

T1190Exploit Public-Facing Application

Initial Access

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

The product stores, transfers, or otherwise manages sensitive information but does not clear or overwrite that information when it is no longer needed or when the context changes.

Known Exploits & Detection

Internal PoCSimple Ruby script demonstrating URI merge credential persistence

Vulnerability Timeline

CVE Published

2025-02-14

Patched versions released

2025-02-14