| Package | ruby2.5 |
|---|---|
| Version | 2.5.5-3+deb10u10 (buster) |
| Related CVEs | CVE-2025-27219 CVE-2025-27220 CVE-2025-27221 |
Ruby, a popular scripting language, was affected by multiple vulnerabilities.
CVE-2025-27219
In the CGI gem, the CGI::Cookie.parse method in the CGI library
contains a potential Denial of Service (DoS) vulnerability.
The method does not impose any limit on the length of the raw cookie
value it processes. This oversight can lead to excessive
resource consumption when parsing extremely large cookies.
CVE-2025-27220
In the CGI gem, a Regular Expression Denial of Service (ReDoS)
vulnerability exists in the Util#escapeElement method.
CVE-2025-27221
In the URI gem, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained
even after changing the host.
For Debian 10 buster, these problems have been fixed in version 2.5.5-3+deb10u10.
We recommend that you upgrade your ruby2.5 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.