プラットフォーム
ruby
コンポーネント
httparty
修正版
0.23.3
0.24.0
CVE-2025-68696 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the httparty Ruby gem. This flaw allows attackers to bypass the intended base_uri configuration, enabling them to make unauthorized requests to internal servers and potentially expose sensitive data. The vulnerability impacts versions of httparty up to 0.9.0, and a fix is available in version 0.24.0.
The SSRF vulnerability in httparty allows an attacker to craft malicious requests that bypass the intended restrictions on outbound connections. By manipulating the path argument to an absolute URL, an attacker can force httparty to send requests to arbitrary internal or external hosts. This can lead to several severe consequences, including the leakage of API keys or other sensitive credentials stored within the application. Furthermore, an attacker could potentially use this vulnerability to interact with internal services that are not directly exposed to the internet, facilitating lateral movement within the network. The ability to issue requests to internal servers without proper authentication or authorization significantly expands the attack surface.
CVE-2025-68696 was publicly disclosed on December 23, 2025. The vulnerability's impact is amplified by the widespread use of httparty in Ruby applications. There are currently no known public exploits or active campaigns targeting this vulnerability, but the SSRF nature of the flaw makes it a potential target for opportunistic attackers. The CVSS score of 8.2 (HIGH) indicates a significant risk.
Applications utilizing the httparty Ruby gem in versions 0.9.0 and earlier are at risk. This includes web applications, APIs, and any other Ruby projects that rely on httparty for making HTTP requests. Shared hosting environments where multiple applications share the same Ruby environment are particularly vulnerable, as a compromise of one application could potentially expose the entire environment.
• ruby / server:
grep -r 'require \'httparty\' ' /path/to/your/ruby/projects• ruby / supply-chain:
gem list httparty• generic web:
curl -I <your_application_url>/<potentially_vulnerable_endpoint>
# Check for unexpected internal hostnames in the response headersdisclosure
エクスプロイト状況
EPSS
0.06% (19% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-68696 is to upgrade to httparty version 0.24.0 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound requests and block those targeting internal resources. Additionally, carefully validate and sanitize any user-supplied input that is used to construct URLs. Review your application's code to ensure that the baseuri is properly enforced and that no other mechanisms exist that could bypass this restriction. After upgrading, confirm the fix by attempting to craft a request with an absolute URL and verifying that the baseuri is correctly applied.
httparty ライブラリを 0.23.2 以降のバージョンにアップデートしてください。これは、npm パッケージマネージャーを使用して `npm install httparty@latest` コマンドを実行することで行うことができます。脆弱性を軽減するために、インストールされたバージョンが 0.23.2 より大きいことを確認してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-68696 is a Server-Side Request Forgery vulnerability in the httparty Ruby gem, allowing attackers to bypass intended URL restrictions and potentially access internal resources.
You are affected if you are using httparty version 0.9.0 or earlier. Upgrade to version 0.24.0 or later to mitigate the risk.
Upgrade to httparty version 0.24.0 or later. Consider implementing WAF rules or proxy filtering as an interim measure.
There are currently no known public exploits or active campaigns targeting this vulnerability, but its SSRF nature makes it a potential target.
Refer to the Ruby Security Advisory and the httparty project's repository for official updates and information regarding this vulnerability.
Gemfile.lock ファイルをアップロードすると、影響の有無を即座にお知らせします。