CRITICALCVE-2017-0889CVSS 9.8

CVE-2017-0889: SSRF in Paperclip Ruby Gem

Platform

ruby

Component

paperclip

Fixed in

5.2.0

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026

View on NVD

Save

CVE-2017-0889 describes a Server-Side Request Forgery (SSRF) vulnerability affecting the Paperclip Ruby gem. This flaw allows attackers to potentially access internal network resources by manipulating the Paperclip::UriAdapter class. Versions of Paperclip prior to 5.1.0 are vulnerable, and a fix is available in version 5.2.0.

Impact and Attack Scenarios

The SSRF vulnerability in Paperclip allows an attacker to craft malicious URLs that Paperclip processes, effectively redirecting requests to internal services or resources that should not be publicly accessible. This can lead to unauthorized data access, including sensitive configuration files, internal API endpoints, or even access to other internal systems. The potential impact extends beyond simple information disclosure; an attacker could potentially use this vulnerability as a stepping stone for lateral movement within the network, exploiting other vulnerabilities in internal services once they have gained access. The blast radius depends on the internal network's security posture and the sensitivity of the exposed resources.

Exploitation Context

CVE-2017-0889 was publicly disclosed on January 22, 2018. While no active exploitation campaigns have been definitively linked to this specific vulnerability, SSRF vulnerabilities are frequently targeted. The ease of exploitation and potential impact make it a desirable target for attackers. No KEV listing is currently available.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.34% (57% percentile)

CVSS Vector

Affected Software

Componentpaperclip

Vendorosv

Affected rangeFixed in

3.1.45.2.0

Timeline

Published2018-01-22
Modified2023-11-08
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2017-0889 is to upgrade to Paperclip version 5.2.0 or later, which contains the fix for the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing a strict URL validation policy within your application to prevent Paperclip from processing untrusted URLs. Additionally, deploying a Web Application Firewall (WAF) with SSRF protection rules can help block malicious requests. Review and restrict network access for the application server to minimize the potential impact of a successful SSRF attack.

How to fix

No official patch available. Check for workarounds or monitor for updates.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2017-0889 — SSRF in Paperclip Ruby Gem?

CVE-2017-0889 is a critical Server-Side Request Forgery (SSRF) vulnerability in the Paperclip Ruby gem, allowing attackers to access internal network resources.

Am I affected by CVE-2017-0889 in Paperclip Ruby Gem?

Yes, if you are using Paperclip versions 3.1.4 through 5.1.0, you are vulnerable to this SSRF vulnerability.

How do I fix CVE-2017-0889 in Paperclip Ruby Gem?

Upgrade to Paperclip version 5.2.0 or later to resolve the SSRF vulnerability. Implement URL validation as a temporary workaround.

Is CVE-2017-0889 being actively exploited?

While no confirmed active exploitation campaigns are publicly known, SSRF vulnerabilities are frequently targeted, making this a potential risk.

Where can I find the official Paperclip advisory for CVE-2017-0889?

Refer to the Paperclip project's GitHub repository and related security advisories for more information: https://github.com/thoughtbot/paperclip