From 05e861e3282b27d00f27e33898e2b4673934bdc5 Mon Sep 17 00:00:00 2001 From: Huda <18461096+hudakh@users.noreply.github.com> Date: Mon, 27 Oct 2025 06:17:07 +0000 Subject: [PATCH 1/6] Add advisory for CVE-2025-61594 (URI Credential Leakage Bypass) for Ruby < 3.3.10 and < 3.4.7 --- rubies/ruby/CVE-2025-61594.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 rubies/ruby/CVE-2025-61594.yml diff --git a/rubies/ruby/CVE-2025-61594.yml b/rubies/ruby/CVE-2025-61594.yml new file mode 100644 index 0000000000..c0a94c8825 --- /dev/null +++ b/rubies/ruby/CVE-2025-61594.yml @@ -0,0 +1,18 @@ +--- +engine: ruby +cve: 2025-61594 +url: https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/ +title: URI Credential Leakage Bypass +date: 2025-10-07 +description: | + A vulnerability in the URI library bundled with Ruby allows sensitive user credentials + (such as usernames or passwords) in a URI to be unintentionally leaked when combining + URIs using the `+` operator. This issue bypasses the previous fix for CVE-2025-27221. + + The issue affects Ruby's built-in URI implementation prior to Ruby 3.3.10 and 3.4.7. +affected_versions: + - ">= 3.3.0, < 3.3.10" + - ">= 3.4.0, < 3.4.7" +patched_versions: + - ">= 3.3.10" + - ">= 3.4.7" From cb8543d560a712887a71cb9802258619ac82fdd2 Mon Sep 17 00:00:00 2001 From: Huda <18461096+hudakh@users.noreply.github.com> Date: Wed, 29 Oct 2025 09:03:31 +1030 Subject: [PATCH 2/6] Add related url --- rubies/ruby/CVE-2025-61594.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rubies/ruby/CVE-2025-61594.yml b/rubies/ruby/CVE-2025-61594.yml index c0a94c8825..007417b914 100644 --- a/rubies/ruby/CVE-2025-61594.yml +++ b/rubies/ruby/CVE-2025-61594.yml @@ -16,3 +16,6 @@ affected_versions: patched_versions: - ">= 3.3.10" - ">= 3.4.7" +related: + url: + - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml From 7274e73da22ea683c971db437a4120654ebbeec2 Mon Sep 17 00:00:00 2001 From: Huda <18461096+hudakh@users.noreply.github.com> Date: Wed, 29 Oct 2025 09:04:04 +1030 Subject: [PATCH 3/6] include all older rubies in affected_versions --- rubies/ruby/CVE-2025-61594.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rubies/ruby/CVE-2025-61594.yml b/rubies/ruby/CVE-2025-61594.yml index 007417b914..6b7c2ccae2 100644 --- a/rubies/ruby/CVE-2025-61594.yml +++ b/rubies/ruby/CVE-2025-61594.yml @@ -11,7 +11,7 @@ description: | The issue affects Ruby's built-in URI implementation prior to Ruby 3.3.10 and 3.4.7. affected_versions: - - ">= 3.3.0, < 3.3.10" + - "< 3.3.10" - ">= 3.4.0, < 3.4.7" patched_versions: - ">= 3.3.10" From 55028c14b326c356810261c9dea4f7992e88e210 Mon Sep 17 00:00:00 2001 From: Huda Date: Thu, 30 Oct 2025 08:42:28 +1030 Subject: [PATCH 4/6] Remove `affected_versions` --- rubies/ruby/CVE-2025-61594.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rubies/ruby/CVE-2025-61594.yml b/rubies/ruby/CVE-2025-61594.yml index 6b7c2ccae2..0347f820d8 100644 --- a/rubies/ruby/CVE-2025-61594.yml +++ b/rubies/ruby/CVE-2025-61594.yml @@ -10,11 +10,8 @@ description: | URIs using the `+` operator. This issue bypasses the previous fix for CVE-2025-27221. The issue affects Ruby's built-in URI implementation prior to Ruby 3.3.10 and 3.4.7. -affected_versions: - - "< 3.3.10" - - ">= 3.4.0, < 3.4.7" patched_versions: - - ">= 3.3.10" + - "~> 3.3.10" - ">= 3.4.7" related: url: From b172065c7d13a3e8b5fa3d0dd137e41c527dcea6 Mon Sep 17 00:00:00 2001 From: Huda Date: Thu, 30 Oct 2025 08:42:49 +1030 Subject: [PATCH 5/6] Add more related references --- rubies/ruby/CVE-2025-61594.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rubies/ruby/CVE-2025-61594.yml b/rubies/ruby/CVE-2025-61594.yml index 0347f820d8..ac13b304b9 100644 --- a/rubies/ruby/CVE-2025-61594.yml +++ b/rubies/ruby/CVE-2025-61594.yml @@ -16,3 +16,6 @@ patched_versions: related: url: - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml + - https://www.cve.org/CVERecord?id=CVE-2025-61594 + - https://www.ruby-lang.org/en/news/2025/10/23/ruby-3-3-10-released/ + - https://www.ruby-lang.org/en/news/2025/10/07/ruby-3-4-7-released/ \ No newline at end of file From 7f8092c83e0b3e362709b1a0071385d0640ff278 Mon Sep 17 00:00:00 2001 From: Huda Date: Tue, 4 Nov 2025 14:45:31 +1030 Subject: [PATCH 6/6] Add missing newline at end of file --- rubies/ruby/CVE-2025-61594.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rubies/ruby/CVE-2025-61594.yml b/rubies/ruby/CVE-2025-61594.yml index ac13b304b9..9ff22ad5d5 100644 --- a/rubies/ruby/CVE-2025-61594.yml +++ b/rubies/ruby/CVE-2025-61594.yml @@ -18,4 +18,4 @@ related: - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml - https://www.cve.org/CVERecord?id=CVE-2025-61594 - https://www.ruby-lang.org/en/news/2025/10/23/ruby-3-3-10-released/ - - https://www.ruby-lang.org/en/news/2025/10/07/ruby-3-4-7-released/ \ No newline at end of file + - https://www.ruby-lang.org/en/news/2025/10/07/ruby-3-4-7-released/