CVE-2025-46551: JRuby-OpenSSL has hostname verification disabled by default
First published: Wed May 07 2025(Updated: )
### Summary When verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present _any_ valid cert for a completely different domain they own, and JRuby wouldn't complain. ### Details n/a ### PoC An example domain bad.substitutealert.com was created to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with `certificate verify failed (hostname mismatch)`, but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3 ```ruby require "net/http" require "openssl" uri = URI("https://bad.substitutealert.com/") https = Net::HTTP.new(uri.host, uri.port) https.use_ssl = true https.verify_mode = OpenSSL::SSL::VERIFY_PEER body = https.start { https.get(uri.request_uri).body } puts body ``` ### Impact Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenSSL | >=0.12.1<0.15.4 | |
| Ruby | >9.3.4.0<9.4.12.1>10.0.0.0<10.0.0.1 | |
| maven/org.jruby:jruby | >=9.3.4.0<9.4.12.1 | 9.4.12.1 |
| maven/org.jruby:jruby | >=10.0.0.0<10.0.0.1 | 10.0.0.1 |
| maven/rubygems:jruby-openssl | >=0.12.1<0.15.4 | 0.15.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx
- https://github.com/jruby/jruby-openssl/commit/31a56d690ce9b8af47af09aaaf809081949ed285
- https://github.com/jruby/jruby-openssl/commit/b1fc5d645c0d90891b8865925ac1c15e3f15a055
- https://nvd.nist.gov/vuln/detail/CVE-2025-46551
- https://github.com/advisories/GHSA-72qj-48g4-5xgx (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-46551?
CVE-2025-46551 has been identified with a high severity due to its potential impact on SSL certificate verification.
How do I fix CVE-2025-46551?
To mitigate CVE-2025-46551, upgrade JRuby-OpenSSL to version 0.15.4 or later.
Which versions of JRuby-OpenSSL are affected by CVE-2025-46551?
CVE-2025-46551 affects JRuby-OpenSSL versions from 0.12.1 up to, but not including, 0.15.4.
Is there a workaround for CVE-2025-46551 if I cannot update immediately?
If unable to update, consider disabling the use of JRuby-OpenSSL until a safe upgrade can be performed.
What are the implications of CVE-2025-46551 for my application?
CVE-2025-46551 may allow attackers to bypass SSL certificate validation, exposing your application to man-in-the-middle attacks.
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/first-publish-date
- agent/type
- agent/guess-ai
- agent/software-canonical-lookup
- agent/severity
- agent/author
- agent/weakness
- agent/softwarecombine
- agent/description
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-72qj-48g4-5xgx
- alias/CVE-2025-46551
- collector/nvd-cve
- source/NVD
- agent/references
- collector/nvd-api
- agent/last-modified-date
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- vendor/jruby
- canonical/openssl
- canonical/ruby
- package-manager/maven