Platform
ruby
Component
httparty
Fixed in
0.23.3
0.24.0
CVE-2025-68696 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the httparty Ruby gem. This flaw allows attackers to bypass the intended base_uri configuration, enabling them to make unauthorized requests to internal servers and potentially expose sensitive data. The vulnerability impacts versions of httparty up to 0.9.0, and a fix is available in version 0.24.0.
The SSRF vulnerability in httparty allows an attacker to craft malicious requests that bypass the intended restrictions on outbound connections. By manipulating the path argument to an absolute URL, an attacker can force httparty to send requests to arbitrary internal or external hosts. This can lead to several severe consequences, including the leakage of API keys or other sensitive credentials stored within the application. Furthermore, an attacker could potentially use this vulnerability to interact with internal services that are not directly exposed to the internet, facilitating lateral movement within the network. The ability to issue requests to internal servers without proper authentication or authorization significantly expands the attack surface.
CVE-2025-68696 was publicly disclosed on December 23, 2025. The vulnerability's impact is amplified by the widespread use of httparty in Ruby applications. There are currently no known public exploits or active campaigns targeting this vulnerability, but the SSRF nature of the flaw makes it a potential target for opportunistic attackers. The CVSS score of 8.2 (HIGH) indicates a significant risk.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68696 is to upgrade to httparty version 0.24.0 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound requests and block those targeting internal resources. Additionally, carefully validate and sanitize any user-supplied input that is used to construct URLs. Review your application's code to ensure that the baseuri is properly enforced and that no other mechanisms exist that could bypass this restriction. After upgrading, confirm the fix by attempting to craft a request with an absolute URL and verifying that the baseuri is correctly applied.
Update the httparty library to a version later than 0.23.2. This can be done using the npm package manager by running the command `npm install httparty@latest`. Ensure that the installed version is greater than 0.23.2 to mitigate the SSRF vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68696 is a Server-Side Request Forgery vulnerability in the httparty Ruby gem, allowing attackers to bypass intended URL restrictions and potentially access internal resources.
You are affected if you are using httparty version 0.9.0 or earlier. Upgrade to version 0.24.0 or later to mitigate the risk.
Upgrade to httparty version 0.24.0 or later. Consider implementing WAF rules or proxy filtering as an interim measure.
There are currently no known public exploits or active campaigns targeting this vulnerability, but its SSRF nature makes it a potential target.
Refer to the Ruby Security Advisory and the httparty project's repository for official updates and information regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.