GHSA-72qj-48g4-5xgx
First published: Wed May 07 2025(Updated: )
### Summary When verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present _any_ valid cert for a completely different domain they own, and JRuby wouldn't complain. ### Details n/a ### PoC An example domain bad.substitutealert.com was created to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with `certificate verify failed (hostname mismatch)`, but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3 ```ruby require "net/http" require "openssl" uri = URI("https://bad.substitutealert.com/") https = Net::HTTP.new(uri.host, uri.port) https.use_ssl = true https.verify_mode = OpenSSL::SSL::VERIFY_PEER body = https.start { https.get(uri.request_uri).body } puts body ``` ### Impact Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.jruby:jruby | >=9.3.4.0<9.4.12.1 | 9.4.12.1 |
| maven/org.jruby:jruby | >=10.0.0.0<10.0.0.1 | 10.0.0.1 |
| maven/rubygems:jruby-openssl | >=0.12.1<0.15.4 | 0.15.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx
- https://github.com/jruby/jruby-openssl/commit/b1fc5d645c0d90891b8865925ac1c15e3f15a055
- https://nvd.nist.gov/vuln/detail/CVE-2025-46551
- https://github.com/jruby/jruby-openssl/commit/31a56d690ce9b8af47af09aaaf809081949ed285
- https://github.com/advisories/GHSA-72qj-48g4-5xgx (Advisory)
Frequently Asked Questions
What is the severity of GHSA-72qj-48g4-5xgx?
GHSA-72qj-48g4-5xgx is rated as a high-severity vulnerability due to the risk of man-in-the-middle attacks.
How do I fix GHSA-72qj-48g4-5xgx?
To fix GHSA-72qj-48g4-5xgx, upgrade jruby-openssl to version 0.15.4 or jruby to versions 9.4.12.1 or 10.0.0.1.
What software is affected by GHSA-72qj-48g4-5xgx?
GHSA-72qj-48g4-5xgx affects versions of jruby between 9.3.4.0 and 9.4.12.1, and between 10.0.0.0 and 10.0.0.1, as well as jruby-openssl versions from 0.12.1 to 0.15.4.
What issue does GHSA-72qj-48g4-5xgx address?
GHSA-72qj-48g4-5xgx addresses the lack of hostname verification when validating SSL certificates in jruby-openssl.
What potential attacks are possible due to GHSA-72qj-48g4-5xgx?
The vulnerability GHSA-72qj-48g4-5xgx allows a man-in-the-middle (MITM) attacker to exploit the SSL connection by presenting a valid certificate for a different domain.
- agent/weakness
- agent/source
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/description
- agent/type
- agent/first-publish-date
- agent/event
- agent/tags
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-72qj-48g4-5xgx
- alias/CVE-2025-46551
- agent/software-canonical-lookup
- package-manager/maven