CVE-2025-46551

Description

### Summary When verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present _any_ valid cert for a completely different domain they own, and JRuby wouldn't complain. ### Details n/a ### PoC An example domain bad.substitutealert.com was created to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with `certificate verify failed (hostname mismatch)`, but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3 ```ruby require "net/http" require "openssl" uri = URI("https://bad.substitutealert.com/") https = Net::HTTP.new(uri.host, uri.port) https.use_ssl = true https.verify_mode = OpenSSL::SSL::VERIFY_PEER body = https.start { https.get(uri.request_uri).body } puts body ``` ### Impact Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely

How to fix CVE-2025-46551

To remediate CVE-2025-46551, upgrade the affected package to a fixed version below.

• —upgrade to 10.0.0.1 or later
• —upgrade to 0.15.4 or later
• —upgrade to 0.15.4 or later

Is CVE-2025-46551 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• >= 10.0.0.0, < 10.0.0.1
• >= 0.12.1, < 0.15.4
• >= 0.12.1, < 0.15.4

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-46551
• PATCHgithub.com/jruby/jruby-openssl
• WEBgithub.com/jruby/jruby-openssl/commit/31a56d690ce9b8af47af09aaaf809081949ed285
• WEBgithub.com/jruby/jruby-openssl/commit/b1fc5d645c0d90891b8865925ac1c15e3f15a055