CVE-2025-46551: 
Java vulnerability analysis and mitigation

JRuby-OpenSSL, an add-on gem for JRuby that emulates the Ruby OpenSSL native library, contains a security vulnerability (CVE-2025-46551) affecting versions 0.12.1 through 0.15.3 (corresponding to JRuby versions 9.3.4.0 through 9.4.12.0 and 10.0.0.0). The vulnerability was discovered and disclosed on May 7, 2025, where the SSL certificate verification process fails to validate hostname matching (GitHub Advisory).

The vulnerability stems from a fundamental flaw in the SSL certificate verification process where JRuby-OpenSSL does not verify that the hostname presented in the certificate matches the one the user tries to connect to. The issue has been assigned a CVSS v4.0 score of 5.7 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P. The vulnerability is classified under CWE-295 (Improper Certificate Validation) (NVD).

The vulnerability affects any application using JRuby to make requests to external APIs or perform web scraping that relies on HTTPS for secure connections. A man-in-the-middle attacker could present a valid certificate for a completely different domain they own, and JRuby would accept it without complaint, potentially compromising the security of the connection (GitHub Advisory).

The vulnerability has been patched in JRuby-OpenSSL version 0.15.4, which is included in JRuby versions 10.0.0.1 and 9.4.12.1. Users are advised to upgrade to these patched versions to resolve the security issue (NVD).