CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-27221
https://notcve.org/view.php?id=CVE-2025-27221
03 Mar 2025 — In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. • https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-28628 – `authority-regex` returns the wrong authority in lambdaisland/uri
https://notcve.org/view.php?id=CVE-2023-28628
27 Mar 2023 — lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 `authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in question doesn't handle the backslash (`\`) character in the username correctly, leading to a wrong output. ex. a payload of `https://example.com\\@google.com` would return that the host is `google.com`, but the correc... • https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') CWE-706: Use of Incorrectly-Resolved Name or Reference •