Server-side Request Forgery (SSRF) Affecting httparty package, versions >=0.0.0

Q: How to fix?

A fix was pushed into the master branch but not yet published.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-RUBY-HTTPARTY-14563114
published24 Dec 2025
disclosed23 Dec 2025
creditTsubasa Irisawa

Report a new vulnerability Found a mistake?

Introduced: 23 Dec 2025

NewCVE-2025-68696 (opens in a new tab) CWE-918 (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the path parameter when an absolute URL is provided, causing the base_uri to be ignored. An attacker can cause sensitive credentials such as API keys to be sent to unintended third-party hosts or force the application to make requests to internal network resources by supplying a crafted absolute URL as input.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None