CVE-2025-61594 (Medium) detected in uri-1.0.3.gem

[mend-bolt-for-github]

CVE-2025-61594 - Medium Severity Vulnerability

Vulnerable Library - uri-1.0.3.gem

URI is a module providing classes to handle Uniform Resource Identifiers

Library home page: https://rubygems.org/gems/uri-1.0.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /vendor/cache/uri-1.0.3.gem

Dependency Hierarchy:

• manageiq-style-1.3.3.gem (Root Library)
  • more_core_extensions-4.5.1.gem
    • activesupport-8.0.2.gem
      • ❌ uri-1.0.3.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the "+" operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.

Publish Date: 2025-12-30

URL: CVE-2025-61594

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-j4pr-3wm6-xx2r

Release Date: 2025-12-30

Fix Resolution: uri - 0.13.3,uri - 1.0.4,uri - 0.12.5

---

Step up your Open Source Security Game with Mend here