CVE CyberSecurity Database News

CVE-2025-27221 - How Ruby’s URI Gem Leaks Authentication Credentials—Vulnerability Details, Exploit, and Fixes

Poster -

In early 2025, a critical vulnerability was discovered in the widely-used URI gem for Ruby, listed as CVE-2025-27221. This issue affects all versions before 1..3 and could lead to your application accidentally leaking sensitive authentication credentials! Let’s break down what happened, see how you could get bitten by it, and share easy code examples and fixes.

🔥 What’s the Vulnerability?

Whenever you process URLs (Uniform Resource Identifiers) in Ruby, you might use the URI library’s methods like URI.join, URI#merge, or URI#+ to merge or combine different URLs.

The problem: If your URL includes user credentials—such as user:password@host.com—and you change the host, the credentials still remain in the URL! That means if you’re redirecting, proxifying, or logging a URL, you could send private logins to some unexpected place.

Example of “Userinfo” in a URI

url = "https://username:secret@secure.example.com/path";

Here, username:secret is called the *userinfo* part.

Step-by-Step: How Credentials Can Leak

Suppose your app tries to rewrite or redirect a URL to a different host, merging it with another path:

require 'uri'

base = URI.parse("https://user:pass@original-server.com/our-app/";)
target = URI.parse("https://evil.com/their-app/";)

# Merge the two
merged = base.merge(target)
puts merged.to_s

Expected Output

https://evil.com/their-app/

Actual Output (Pre-1..3)

https://user:pass@evil.com/their-app/

This script leaks your credentials to the new host! If you now pass or log this merged URL elsewhere, your secrets are exposed.

Real-World Exploit Scenario

- Reverse Proxies or API Gateways: If backend code modifies a URL with credentials, it might pass those credentials to a totally different host by accident.
- Open Redirects: If your app combines a user-supplied URL with a system-internal one, an attacker can trick your system into forwarding login secrets.
- Logging Sensitive Data: If you log merged URLs without sanitizing, credentials may end up in logs or error reports.

🗂 Original References & Confirmation

- Official Ruby Security Advisory
- CVE entry on NVD
- Github Issue and Patch
*(Links provided reflect actual advisory locations at time of writing.)*

Let’s boil it down to a quick, testable snippet

require "uri"

old_url = URI.parse("https://user:password@private.com/here";)
new_host = URI.parse("https://public.com/there";)

merged_uri = old_url.merge(new_host)
puts merged_uri.to_s # => https://user:password@public.com/there

After patching (v1..3+), the userinfo part is erased upon host change

https://public.com/there

Upgrade Your uri Gem:

Make sure you’re running uri gem version 1..3 or newer (or if built into Ruby, update your Ruby installation).

`ruby

url = URI.parse("https://user:pass@host.com/")

After the patch, the URI library clears userinfo whenever you change the host

# Internally in the patched gem:
if uri.host != other.host
  uri.userinfo = nil
end

📜 TL;DR

CVE-2025-27221 is a simple but dangerous bug in Ruby’s URI gem that lets secret credentials slip into the wrong hands when combining URLs. Update to version 1..3, audit your code, and make sure logs don’t leak more than they should.


Stay secure! For more info, check out the official advisory and keep your Ruby gems fresh.

Timeline

Published on: 03/04/2025 00:15:31 UTC
Last modified on: 03/05/2025 14:58:05 UTC