How the CVE Works
JRuby-OpenSSL disables hostname verification by default when validating SSL/TLS certificates. This allows attackers to perform Man-in-the-Middle (MITM) attacks by presenting a valid certificate for a different domain. For example, if a JRuby application connects to example.com, an attacker could intercept the connection using a certificate for attacker.com, and JRuby would accept it without validation. This flaw exists in JRuby versions 9.4.2.0 and 10.0.0.0 due to jruby-openssl 0.15.3.
DailyCVE Form:
Platform: JRuby-OpenSSL
Version: 0.15.3
Vulnerability: Hostname verification bypass
Severity: Moderate
Date: May 7, 2025
What Undercode Say:
Exploitation:
1. Attacker intercepts TLS handshake.
- Presents a valid certificate for a different domain.
3. JRuby accepts the connection without hostname validation.
Proof of Concept (PoC):
require 'net/http'
uri = URI("https://bad.substitutealert.com")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE Simulates vulnerable behavior
response = http.get(uri)
puts response.body
Mitigation:
1. Enable Hostname Verification:
http.verify_mode = OpenSSL::SSL::VERIFY_PEER http.verify_hostname = true Force hostname check
2. Update JRuby-OpenSSL:
gem update jruby-openssl
3. Manual Patch (Temporary Fix):
class Net::HTTP alias_method :old_initialize, :initialize def initialize(args) old_initialize(args) @ssl_context = OpenSSL::SSL::SSLContext.new @ssl_context.verify_hostname = true end end
Detection:
gem list | grep jruby-openssl
Analytics:
- Affected Versions: JRuby 9.4.2.0, 10.0.0.0
- Root Cause: Missing `verify_hostname` enforcement.
- Risk: Data interception, API hijacking.
References:
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- NVD: CVE-2025-12345
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
