{"version":"0.9.2","created_at":"2025-03-04 07:31:06 +0100","results":[{"type":"unpatched_gem","gem":{"name":"uri","version":"1.0.2"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/uri/CVE-2025-27221.yml","id":"CVE-2025-27221","url":"https://www.cve.org/CVERecord?id=CVE-2025-27221","title":"CVE-2025-27221 - userinfo leakage in URI#join, URI#merge and URI#+.","date":"2025-02-26","description":"\nThere is a possibility for userinfo leakage by in the uri gem.\nThis vulnerability has been assigned the CVE identifier\nCVE-2025-27221. We recommend upgrading the uri gem.\n\n## Details\n\nThe methods URI#join, URI#merge, and URI#+ retained userinfo, such\nas user:password, even after the host is replaced. When generating\na URL to a malicious host from a URL containing secret userinfo\nusing these methods, and having someone access that URL, an\nunintended userinfo leak could occur.\n\nPlease update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later.\n\n## Affected versions\n\nuri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and\n1.0.0 to 1.0.2.\n\n## Credits\n\nThanks to Tsubasa Irisawa (lambdasawa) for discovering this issue.\nAlso thanks to nobu for additional fixes of this vulnerability.\n","cvss_v2":null,"cvss_v3":null,"cve":"2025-27221","osvdb":null,"ghsa":null,"unaffected_versions":[],"patched_versions":["~> 0.11.3","~> 0.12.4","~> 0.13.2",">= 1.0.3"],"criticality":null}}]}