Skip to content

Hostname verification disabled by default in jruby-openssl

Moderate
headius published GHSA-72qj-48g4-5xgx May 7, 2025

Package

jruby

Affected versions

10.0.0.0, 9.4.12.0, 9.4.11.0, 9.4.10.0, 9.4.9.0, 9.4.8.0, 9.4.7.0, 9.4.6.0, 9.4.5.0, 9.4.4.0, 9.4.3.0, 9.4.2.0, 9.4.1.0, 9.4.0.0, 9.3.15.0, 9.3.14.0, 9.3.13.0, 9.3.12.0, 9.3.11.0, 9.3.10.0, 9.3.9.0, 9.3.8.0, 9.3.7.0, 9.3.6.0, 9.3.5.0, 9.3.4.0

Patched versions

10.0.0.1, 9.4.12.1
jruby-openssl
0.12.1, 0.12.2, 0.13.0, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.5, 0.14.6, 0.14.7, 0.15.0, 0.15.1, 0.15.2, 0.15.3
0.15.4

Description

Summary

It seems that when verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present any valid cert for a completely different domain they own, and JRuby wouldn't complain.

Details

n/a

PoC

I've set up my domain bad.substitutealert.com to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with certificate verify failed (hostname mismatch), but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3

require "net/http"
require "openssl"

uri   = URI("https://bad.substitutealert.com/")
https = Net::HTTP.new(uri.host, uri.port)
https.use_ssl      = true
https.verify_mode  = OpenSSL::SSL::VERIFY_PEER

body = https.start { https.get(uri.request_uri).body }
puts body

Impact

Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely

Severity

Moderate

CVE ID

CVE-2025-46551

Weaknesses

No CWEs

Credits