Which versions of HTTParty are affected by CVE-2025-68696?

HTTParty versions 0.23.2 and earlier contain an unauthenticated Server-Side Request Forgery vulnerability that allows attackers to force affected applications to make arbitrary HTTP requests to…. A patch is available.

Is there a public PoC exploit available for CVE-2025-68696?

Yes, a public proof-of-concept exploit is available for CVE-2025-68696. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-68696?

Within 24 hours: Identify all applications and services using HTTParty ≤0.23.2 across development, staging, and production environments. Within 7 days: Apply vendor patch (commit 0529bcd or later tagged release when available); validate patch deployment across all instances. Within 30 days: Conduct credential audit for any API keys or secrets that may have been exposed; implement network segmentation to restrict outbound HTTP requests from application servers to only approved endpoints and services.

HTTParty CVE-2025-68696

Q: What is the CVSS score of CVE-2025-68696?

CVE-2025-68696 has a CVSS 4.0 base score of 7.8 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2025-12-23 security-advisories@github.com

SSRF Httparty Red Hat

7.8

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.8 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Red Hat

9.3 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:17 vuln.today

DescriptionGitHub Advisory

httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd.

AnalysisAI

Server-Side Request Forgery (SSRF) in HTTParty 0.23.2 and earlier enables remote unauthenticated attackers to force the application to make arbitrary HTTP requests to internal network resources and third-party services, potentially leaking API keys and credentials embedded in outbound requests or accessing internal-only endpoints. Publicly available exploit code exists (GitHub Security Advisory GHSA-hm5p-x4rq-38w4), and the CVSS E:P modifier confirms proof-of-concept exploitation. Vendor-released patch is available via commit 0529bcd, though a tagged release version is not confirmed from provided data. EPSS data not provided, but SSRF vulnerabilities targeting API libraries typically see exploitation within weeks of public disclosure due to their prevalence in cloud-native environments.

Technical ContextAI

HTTParty is a Ruby HTTP client library widely used for consuming REST APIs and making HTTP requests in Ruby applications. CWE-918 (Server-Side Request Forgery) occurs when an application accepts user-supplied URLs or URL components without proper validation, allowing attackers to manipulate the destination of outbound HTTP requests. In API client libraries like HTTParty, SSRF typically manifests when applications pass user-controlled input directly into HTTParty request methods (e.g., HTTParty.get, HTTParty.post) without sanitizing the target URL. This enables attackers to redirect requests to internal IP ranges (169.254.169.254 for cloud metadata services, RFC1918 private networks), localhost services, or arbitrary external domains. The vulnerability affects all versions through 0.23.2 per the CPE string cpe:2.3:a:jnunemaker:httparty:*:*:*:*:*:*:*:*, indicating a library-level flaw rather than application-specific misconfiguration. The CVSS vector's VC:H (High Confidentiality impact) and VI:L (Low Integrity impact) align with typical SSRF impact profiles where data exfiltration is the primary risk.

RemediationAI

Apply the vendor-released patch by upgrading to a version containing commit 0529bcd6309c9fd9bfdd50ae211843b10054c240 (https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240). The specific released gem version number incorporating this fix is not confirmed from available data-verify the latest HTTParty gem version on RubyGems.org and review its changelog to confirm inclusion of commit 0529bcd before upgrading. If immediate patching is not feasible, implement strict URL validation as a compensating control: use allowlists for permitted destination domains, reject RFC1918 private IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), block link-local addresses (169.254.0.0/16), and disallow localhost/127.0.0.1 references in any user-supplied URL parameters passed to HTTParty methods. Note that URL parsing can be bypassed via encoding tricks (octal IPs, IPv6 notation, DNS rebinding), so allowlisting is more reliable than denylisting. Network-level mitigation: configure egress firewall rules to prevent application servers from accessing cloud metadata endpoints (169.254.169.254) and internal network ranges, though this may break legitimate internal API calls and complicates microservice architectures. For applications that must accept arbitrary URLs, consider proxying all HTTParty requests through a dedicated egress gateway with deep packet inspection and URL rewriting capabilities, accepting the performance overhead and operational complexity this introduces.

Vendor StatusVendor

CVE-2025-68696 vulnerability details – vuln.today

Back