|
| 1 | +--- |
| 2 | +layout: news_post |
| 3 | +title: "Security advisories: CVE-2025-27219, CVE-2025-27220 and CVE-2025-27221" |
| 4 | +author: "hsbt" |
| 5 | +translator: |
| 6 | +date: 2025-02-26 07:00:00 +0000 |
| 7 | +tags: security |
| 8 | +lang: en |
| 9 | +--- |
| 10 | + |
| 11 | +We published security advisories for CVE-2025-27219, CVE-2025-27220 and CVE-2025-27221. Please read the details below. |
| 12 | + |
| 13 | +## CVE-2025-27219: Denial of Service in `CGI::Cookie.parse`. |
| 14 | + |
| 15 | +There is a possibility for DoS by in the cgi gem. This vulnerability has been assigned the CVE identifier [CVE-2025-27219](https://www.cve.org/CVERecord?id=CVE-2025-27219). We recommend upgrading the cgi gem. |
| 16 | + |
| 17 | +### Details |
| 18 | + |
| 19 | +`CGI::Cookie.parse` took super-linear time to parse a cookie string in some cases. Feeding a maliciously crafted cookie string into the method could lead to a Denial of Service. |
| 20 | + |
| 21 | +Please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later. |
| 22 | + |
| 23 | +### Affected versions |
| 24 | + |
| 25 | +* cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1. |
| 26 | + |
| 27 | +### Credits |
| 28 | + |
| 29 | +Thanks to [lio346](https://hackerone.com/lio346) for discovering this issue. Also thanks to [mame](https://github.com/mame) for fixing this vulnerability. |
| 30 | + |
| 31 | +## CVE-2025-27220: ReDoS in `CGI::Util#escapeElement`. |
| 32 | + |
| 33 | +There is a possibility for Regular expression Denial of Service(ReDoS) by in the cgi gem. This vulnerability has been assigned the CVE identifier [CVE-2025-27220](https://www.cve.org/CVERecord?id=CVE-2025-27220). We recommend upgrading the cgi gem. |
| 34 | + |
| 35 | +### Details |
| 36 | + |
| 37 | +The regular expression used in `CGI::Util#escapeElement` is vulnerable to ReDoS. The crafted input could lead to a high CPU consumption. |
| 38 | + |
| 39 | +This vulnerability only affects Ruby 3.1 and 3.2. If you are using these versions, please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later. |
| 40 | + |
| 41 | +### Affected versions |
| 42 | + |
| 43 | +* cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1. |
| 44 | + |
| 45 | +### Credits |
| 46 | + |
| 47 | +Thanks to [svalkanov](https://hackerone.com/svalkanov) for discovering this issue. Also thanks to [nobu](https://github.com/nobu) for fixing this vulnerability. |
| 48 | + |
| 49 | + |
| 50 | +## CVE-2025-27221: userinfo leakage in `URI#join`, `URI#merge` and `URI#+`. |
| 51 | + |
| 52 | +There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier [CVE-2025-27221](https://www.cve.org/CVERecord?id=CVE-2025-27221). We recommend upgrading the uri gem. |
| 53 | + |
| 54 | +### Details |
| 55 | + |
| 56 | +The methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur. |
| 57 | + |
| 58 | +Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later. |
| 59 | + |
| 60 | +### Affected versions |
| 61 | + |
| 62 | +* uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2. |
| 63 | + |
| 64 | +### Credits |
| 65 | + |
| 66 | +Thanks to [Tsubasa Irisawa (lambdasawa)](https://hackerone.com/lambdasawa) for discovering this issue. Also thanks to [nobu](https://github.com/nobu) for additional fixes of this vulnerability. |
| 67 | + |
| 68 | +## History |
| 69 | + |
| 70 | +* Originally published at 2025-02-26 7:00:00 (UTC) |
0 commit comments