Description

JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 and 10.0.0.0 prior to 10.0.0.1), when verifying SSL certificates, JRuby-OpenSSL does not verify that the hostname presented in the certificate matches the one the user tries to connect to. This means a man-in-the-middle could just present any valid cert for a completely different domain they own, and JRuby would accept the cert. Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely. JRuby-OpenSSL version 0.15.4 contains a fix for the issue. This fix is included in JRuby versions 10.0.0.1 and 9.4.12.1.

INFO

Published Date :

2025-05-07T16:12:23.771Z

Last Modified :

2025-05-07T20:17:32.055Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-46551 vulnerability.

Vendors Products
Jruby
  • Jruby
  • Jruby-openssl
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-46551.

URL Resource
https://github.com/jruby/jruby-openssl/commit/31a56d690ce9b8af47af09aaaf809081949ed285 cve-icon cve-icon cve-icon
https://github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx cve-icon cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-46551 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-46551 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact