In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4163 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4163-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Lucas Kanashiro     May 12, 2025                                  https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : rubygems     Version        : 3.2.5-2+deb11u1     CVE ID         : CVE-2021-43809 CVE-2023-28755 CVE-2025-27221

    Multiple vulnerabilities were found in rubygems, which contains a package     management framework for Ruby and a dependency manager for Ruby applications.

    CVE-2021-43809

        In bundler versions before 2.2.33, when working with untrusted and         apparently harmless `Gemfile`'s, it is not expected that they lead to         execution of external code, unless that's explicit in the ruby code inside         the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that         use the `git` option with invalid, but seemingly harmless, values with a         leading dash, this can be false. To handle dependencies that come from a         Git repository instead of a registry, Bundler uses various commands, such         as `git clone`.  These commands are being constructed using user input         (e.g.  the repository URL). When building the commands, Bundler versions         before 2.2.33 correctly avoid Command Injection vulnerabilities by passing         an array of arguments instead of a command string.  However, there is the         possibility that a user input starts with a dash (`-`) and is therefore         treated as an optional argument instead of a positional one.  This can lead         to Code Execution because some of the commands have options that can be         leveraged to run arbitrary executables.

    CVE-2023-28755

        A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby         through 3.2.1. The URI parser mishandles invalid URLs that have specific         characters. It causes an increase in execution time for parsing strings to         URI objects.

    CVE-2025-27221

        The URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent         leakage of authentication credentials because userinfo is retained even         after changing the host.

    For Debian 11 bullseye, these problems have been fixed in version     3.2.5-2+deb11u1.

    We recommend that you upgrade your rubygems packages.

    For the detailed security status of rubygems please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/rubygems

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

    In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists     in the Util#escapeElement method.(CVE-2025-27220)

    In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential     Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw     cookie value it processes. This oversight can lead to excessive resource consumption when parsing     extremely large cookies.(CVE-2025-27219)

    In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an     inadvertent leakage of authentication credentials because userinfo is retained even after changing the     host.(CVE-2025-27221)

Tenable has extracted the preceding description block directly from the EulerOS ruby security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2025:4488 advisory.

    * rexml: DoS vulnerability in REXML (CVE-2024-39908)
      * rexml: rubygem-rexml: DoS when parsing an XML having many specific characters such as whitespace     character, >] and ]> (CVE-2024-41123)
      * rexml: DoS vulnerability in REXML (CVE-2024-41946)
      * rexml: DoS vulnerability in REXML (CVE-2024-43398)
      * CGI: ReDoS in CGI::Util#escapeElement (CVE-2025-27220)
      * CGI: Denial of Service in CGI::Cookie.parse (CVE-2025-27219)
      * uri: userinfo leakage in URI#join, URI#merge and URI#+ (CVE-2025-27221)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2025-4488 advisory.

    ruby     [3.1.7-146]
    - Upgrade to Ruby 3.1.7.
      Resolves: RHEL-55410
    - Fix DoS vulnerability in REXML. (CVE-2024-39908)       Resolves: RHEL-86077

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2025-4493 advisory.

    - Fix Net::IMAP vulnerable to possible DoS by memory exhaustion. (CVE-2025-25186)
    - Fix Denial of Service in CGI::Cookie.parse. (CVE-2025-27219)       Resolves: RHEL-87182

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:4493 advisory.

    Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text     files and to perform system management tasks.

    Security Fix(es):

    * net-imap: Net::IMAP vulnerable to possible DoS by memory exhaustion (CVE-2025-25186)

    * CGI: Denial of Service in CGI::Cookie.parse (CVE-2025-27219)

    * uri: userinfo leakage in URI#join, URI#merge and URI#+ (CVE-2025-27221)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:4488 advisory.

    Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text     files and to perform system management tasks.

    Security Fix(es):

    * rexml: DoS vulnerability in REXML (CVE-2024-39908)

    * rexml: rubygem-rexml: DoS when parsing an XML having many specific characters such as whitespace     character, >] and ]> (CVE-2024-41123)

    * rexml: DoS vulnerability in REXML (CVE-2024-41946)

    * rexml: DoS vulnerability in REXML (CVE-2024-43398)

    * CGI: ReDoS in CGI::Util#escapeElement (CVE-2025-27220)

    * CGI: Denial of Service in CGI::Cookie.parse (CVE-2025-27219)

    * uri: userinfo leakage in URI#join, URI#merge and URI#+ (CVE-2025-27221)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:4063 advisory.

    Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text     files and to perform system management tasks.

    Security Fix(es):

    * rexml: DoS vulnerability in REXML (CVE-2024-39908)

    * rexml: rubygem-rexml: DoS when parsing an XML having many specific characters such as whitespace     character, >] and ]> (CVE-2024-41123)

    * rexml: DoS vulnerability in REXML (CVE-2024-41946)

    * rexml: DoS vulnerability in REXML (CVE-2024-43398)

    * CGI: ReDoS in CGI::Util#escapeElement (CVE-2025-27220)

    * CGI: Denial of Service in CGI::Cookie.parse (CVE-2025-27219)

    * uri: userinfo leakage in URI#join, URI#merge and URI#+ (CVE-2025-27221)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-9bef972bb9 advisory.

 Upgrade to Ruby 3.3.8.

 * CVE-2025-25186: Fix Net::IMAP vulnerable to possible DoS by memory exhaustion Resolves: rhbz#2345556 
 * CVE-2025-27219: Denial of Service in CGI::Cookie.parse Resolves: rhbz#2357516 
 * CVE-2025-27221: userinfo leakage in URI#join, URI#merge and URI#+



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2025-4063 advisory.

    - Fix DoS vulnerability in REXML. (CVE-2024-39908)       Resolves: RHEL-57051
    - Fix DoS vulnerability in REXML. (CVE-2024-43398)       Resolves: RHEL-56002
    - Fix REXML ReDoS vulnerability. (CVE-2024-49761)       Resolves: RHEL-68520
    - Fix HTTP response splitting in CGI.
      Resolves: CVE-2021-33621
    - Fix ReDos vulnerability in URI.
      Resolves: CVE-2023-28755       Resolves: CVE-2023-36617
    - Fix ReDos vulnerability in Time.
      Resolves: CVE-2023-28756
    - Fix command injection vulnerability in RDoc. (CVE-2021-31799)
    - Fix FTP PASV command response can cause Net::FTP to connect to arbitrary host.
      (CVE-2021-31810)
    - Fix StartTLS stripping vulnerability in Net::IMAP (CVE-2021-32066)
    - Fix dependencies of gems with explicit source installed from a       different source. (CVE-2020-36327)
    - Fix CVE-2013-4073.
    - Fix object taint bypassing in DL and Fiddle (CVE-2013-2065).
    - Fix Hash-flooding DoS vulnerability on MurmurHash function       (CVE-2012-5371)
    - Don't create files when NUL-containing path name is passed       (bug 865940, CVE-2012-4522)
    - Patch from trunk for CVE-2012-4464, CVE-2012-4466
    - Randomize hash on process startup (CVE-2011-4815, bug 750564)
    - CVE-2011-2686 is fixed in this version (bug 722415)
    - CVE-2010-0541 (bug 587731) is fixed in this version
    - CVE-2009-4492 ruby WEBrick log escape sequence (bug 554485)
    - New patchlevel fixing CVE-2009-1904
    - Fix regression in CVE-2008-3790 (#485383)
    - CVE-2008-5189: CGI header injection.
    - CVE-2008-3790: DoS vulnerability in the REXML module.
    - Security fixes.
      - CVE-2008-3655: Ruby does not properly restrict access to critical                        variables and methods at various safe levels.
      - CVE-2008-3656: DoS vulnerability in WEBrick.
      - CVE-2008-3657: Lack of taintness check in dl.
      - CVE-2008-1447: DNS spoofing vulnerability in resolv.rb.
      - CVE-2008-3443: Memory allocation failure in Ruby regex engine.
    - Security fixes. (#452295)
      - CVE-2008-1891: WEBrick CGI source disclosure.
      - CVE-2008-2662: Integer overflow in rb_str_buf_append().
      - CVE-2008-2663: Integer overflow in rb_ary_store().
      - CVE-2008-2664: Unsafe use of alloca in rb_str_format().
      - CVE-2008-2725: Integer overflow in rb_ary_splice().
      - CVE-2008-2726: Integer overflow in rb_ary_splice().
    - ruby-1.8.6.111-CVE-2007-5162.patch: removed.
    - Security fix for CVE-2008-1145.
    - ruby-1.8.6.111-CVE-2007-5162.patch: Update a bit with backporting the changes        at trunk to enable the fix without any modifications on the users' scripts.
       Note that Net::HTTP#enable_post_connection_check isn't available anymore.
       If you want to disable this post-check, you should give OpenSSL::SSL::VERIFY_NONE        to Net::HTTP#verify_mode= instead of.
    - ruby-1.8.6-CVE-2007-5162.patch: security fix for Net::HTTP that is       insufficient verification of SSL certificate.
    - ruby-1.8.5-cgi-CVE-2006-5467.patch: fix a CGI multipart parsing bug that       causes the denial of service. (#212396)
    - security fixes [CVE-2006-3694]
      - ruby-1.8.4-fix-insecure-dir-operation.patch:
      - ruby-1.8.4-fix-insecure-regexp-modification.patch: fixed the insecure         operations in the certain safe-level restrictions. (#199538)
      - ruby-1.8.4-fix-alias-safe-level.patch: fixed to not bypass the certain         safe-level restrictions. (#199543)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-60513bdbbd advisory.

 Upgrade to Ruby 3.3.8.

 * CVE-2025-25186: Fix Net::IMAP vulnerable to possible DoS by memory exhaustion Resolves: rhbz#2345557
 * CVE-2025-27219: Denial of Service in CGI::Cookie.parse Resolves: rhbz#2357516
 * CVE-2025-27221: userinfo leakage in URI#join, URI#merge and URI#+


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7442-1 advisory.

    It was discovered that the Ruby CGI gem incorrectly handled parsing certain cookies. A remote attacker     could possibly use this issue to consume resources, leading to a denial of service. (CVE-2025-27219)

    It was discovered that the Ruby CGI gem incorrectly handled parsing certain regular expressions. A remote     attacker could possibly use this issue to consume resources, leading to a denial of service.
    (CVE-2025-27220)

    It was discovered that the Ruby URI gem incorrectly handled certain URI handling methods. A remote     attacker could possibly use this issue to leak authentication credentials. (CVE-2025-27221)

    It was discovered that the Ruby REXML gem incorrectly handled parsing XML documents containing many digits     in a hex numeric character reference. A remote attacker could use this issue to consume resources, leading     to a denial of service. (CVE-2024-49761)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of ruby installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-27221 advisory.

  - In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an     inadvertent leakage of authentication credentials because userinfo is retained even after changing the     host. (CVE-2025-27221)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-928 advisory.

    In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an     inadvertent leakage of authentication credentials because userinfo is retained even after changing the     host. (CVE-2025-27221)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7418-1 advisory.

    It was discovered that Ruby incorrectly handled parsing of an XML document that has specific XML     characters in an attribute value using REXML gem. An attacker could use this issue to cause Ruby to crash,     resulting in a denial of service. This issue only affected in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and     Ubuntu 24.10. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123, CVE-2024-43398)

    It was discovered that Ruby incorrectly handled expanding ranges in the net-imap response parser. If a     user or automated system were tricked into connecting to a malicious IMAP server, a remote attacker could     possibly use this issue to consume memory, leading to a denial of service. This issue only affected Ubuntu     24.04 LTS, and Ubuntu 24.10. (CVE-2025-25186)

    It was discovered that the Ruby CGI gem incorrectly handled parsing certain cookies. A remote attacker     could possibly use this issue to consume resources, leading to a denial of service. (CVE-2025-27219)

    It was discovered that the Ruby CGI gem incorrectly handled parsing certain regular expressions. A remote     attacker could possibly use this issue to consume resources, leading to a denial of service.
    (CVE-2025-27220)

    It was discovered that the Ruby URI gem incorrectly handled certain URI handling methods. A remote     attacker could possibly use this issue to leak authentication credentials. (CVE-2025-27221)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the ruby package has been released.

The version of ruby installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-27221 advisory.

  - In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an     inadvertent leakage of authentication credentials because userinfo is retained even after changing the     host. (CVE-2025-27221)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4082 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4082-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                   Bastien Roucaris     March 10, 2025                                https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : ruby2.7     Version        : 2.7.4-1+deb11u5     CVE ID         : CVE-2025-27219 CVE-2025-27220 CVE-2025-27221

    Ruby a popular language was affected by multiple vulnerabilities

    CVE-2025-27219

        In the CGI gem, the CGI::Cookie.parse method in the CGI library         contains a potential Denial of Service (DoS) vulnerability.
        The method does not impose any limit on the length of the raw cookie         value it processes. This oversight can lead to excessive         resource consumption when parsing extremely large cookies

    CVE-2025-27220

        In the CGI gem, a Regular Expression Denial of Service (ReDoS)         vulnerability exists in the Util#escapeElement method.

    CVE-2025-27221

        In the URI gem, the URI handling methods         (URI.join, URI#merge, URI#+) have an inadvertent leakage of         authentication credentials because userinfo is retained         even after changing the host.

    For Debian 11 bullseye, these problems have been fixed in version     2.7.4-1+deb11u5.

    We recommend that you upgrade your ruby2.7 packages.

    For the detailed security status of ruby2.7 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/ruby2.7

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an     inadvertent leakage of authentication credentials because userinfo is retained even after changing the     host. (CVE-2025-27221)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
236773	Debian dla-4163 : bundler - security update	Nessus	Debian Local Security Checks	low
235742	EulerOS 2.0 SP10 : ruby (EulerOS-SA-2025-1538)	Nessus	Huawei Local Security Checks	medium
235739	EulerOS 2.0 SP10 : ruby (EulerOS-SA-2025-1539)	Nessus	Huawei Local Security Checks	medium
235611	AlmaLinux 9 : ruby:3.1 (ALSA-2025:4488)	Nessus	Alma Linux Local Security Checks	high
235375	Oracle Linux 9 : ruby:3.1 (ELSA-2025-4488)	Nessus	Oracle Linux Local Security Checks	high
235373	Oracle Linux 9 : ruby:3.3 (ELSA-2025-4493)	Nessus	Oracle Linux Local Security Checks	medium
235172	RHEL 9 : ruby:3.3 (RHSA-2025:4493)	Nessus	Red Hat Local Security Checks	medium
235165	RHEL 9 : ruby:3.1 (RHSA-2025:4488)	Nessus	Red Hat Local Security Checks	high
234769	RHEL 8 : ruby:3.1 (RHSA-2025:4063)	Nessus	Red Hat Local Security Checks	high
234750	Fedora 40 : ruby (2025-9bef972bb9)	Nessus	Fedora Local Security Checks	medium
234723	Oracle Linux 8 : ruby:3.1 (ELSA-2025-4063)	Nessus	Oracle Linux Local Security Checks	high
234694	Fedora 41 : ruby (2025-60513bdbbd)	Nessus	Fedora Local Security Checks	medium
234686	Ubuntu 16.04 LTS / 18.04 LTS : Ruby vulnerabilities (USN-7442-1)	Nessus	Ubuntu Local Security Checks	high
234642	Azure Linux 3.0 Security Update: ruby (CVE-2025-27221)	Nessus	Azure Linux Local Security Checks	low
234330	Amazon Linux 2023 : ruby3.2, ruby3.2-bundled-gems, ruby3.2-default-gems (ALAS2023-2025-928)	Nessus	Amazon Linux Local Security Checks	low
233968	Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 : Ruby vulnerabilities (USN-7418-1)	Nessus	Ubuntu Local Security Checks	medium
233320	Photon OS 4.0: Ruby PHSA-2025-4.0-0772	Nessus	PhotonOS Local Security Checks	medium
233319	Photon OS 5.0: Ruby PHSA-2025-5.0-0488	Nessus	PhotonOS Local Security Checks	medium
233079	CBL Mariner 2.0 Security Update: ruby (CVE-2025-27221)	Nessus	MarinerOS Local Security Checks	low
232556	Debian dla-4082 : libruby2.7 - security update	Nessus	Debian Local Security Checks	medium
232079	Linux Distros Unpatched Vulnerability : CVE-2025-27221	Nessus	Misc.	medium

Detections

Analytics

CVE-2025-27221

low

Tenable Plugins

low

medium

medium

high

high

medium

medium

high

high

medium

high

medium

high

low

low

medium

medium

medium

low

medium

medium