प्लेटफ़ॉर्म
ruby
घटक
httparty
में ठीक किया गया
0.23.3
0.24.0
CVE-2025-68696 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the httparty Ruby gem. This flaw allows attackers to bypass the intended base_uri configuration, enabling them to make unauthorized requests to internal servers and potentially expose sensitive data. The vulnerability impacts versions of httparty up to 0.9.0, and a fix is available in version 0.24.0.
The SSRF vulnerability in httparty allows an attacker to craft malicious requests that bypass the intended restrictions on outbound connections. By manipulating the path argument to an absolute URL, an attacker can force httparty to send requests to arbitrary internal or external hosts. This can lead to several severe consequences, including the leakage of API keys or other sensitive credentials stored within the application. Furthermore, an attacker could potentially use this vulnerability to interact with internal services that are not directly exposed to the internet, facilitating lateral movement within the network. The ability to issue requests to internal servers without proper authentication or authorization significantly expands the attack surface.
CVE-2025-68696 was publicly disclosed on December 23, 2025. The vulnerability's impact is amplified by the widespread use of httparty in Ruby applications. There are currently no known public exploits or active campaigns targeting this vulnerability, but the SSRF nature of the flaw makes it a potential target for opportunistic attackers. The CVSS score of 8.2 (HIGH) indicates a significant risk.
Applications utilizing the httparty Ruby gem in versions 0.9.0 and earlier are at risk. This includes web applications, APIs, and any other Ruby projects that rely on httparty for making HTTP requests. Shared hosting environments where multiple applications share the same Ruby environment are particularly vulnerable, as a compromise of one application could potentially expose the entire environment.
• ruby / server:
grep -r 'require \'httparty\' ' /path/to/your/ruby/projects• ruby / supply-chain:
gem list httparty• generic web:
curl -I <your_application_url>/<potentially_vulnerable_endpoint>
# Check for unexpected internal hostnames in the response headersdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.06% (19% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-68696 is to upgrade to httparty version 0.24.0 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound requests and block those targeting internal resources. Additionally, carefully validate and sanitize any user-supplied input that is used to construct URLs. Review your application's code to ensure that the baseuri is properly enforced and that no other mechanisms exist that could bypass this restriction. After upgrading, confirm the fix by attempting to craft a request with an absolute URL and verifying that the baseuri is correctly applied.
httparty लाइब्रेरी को 0.23.2 से बाद के संस्करण में अपडेट करें। यह npm पैकेज मैनेजर का उपयोग करके कमांड `npm install httparty@latest` चलाकर किया जा सकता है। कृपया सुनिश्चित करें कि स्थापित संस्करण 0.23.2 से अधिक है ताकि SSRF भेद्यता को कम किया जा सके।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-68696 is a Server-Side Request Forgery vulnerability in the httparty Ruby gem, allowing attackers to bypass intended URL restrictions and potentially access internal resources.
You are affected if you are using httparty version 0.9.0 or earlier. Upgrade to version 0.24.0 or later to mitigate the risk.
Upgrade to httparty version 0.24.0 or later. Consider implementing WAF rules or proxy filtering as an interim measure.
There are currently no known public exploits or active campaigns targeting this vulnerability, but its SSRF nature makes it a potential target.
Refer to the Ruby Security Advisory and the httparty project's repository for official updates and information regarding this vulnerability.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी Gemfile.lock फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।