Httparty
Monthly
Server-Side Request Forgery (SSRF) in HTTParty 0.23.2 and earlier enables remote unauthenticated attackers to force the application to make arbitrary HTTP requests to internal network resources and third-party services, potentially leaking API keys and credentials embedded in outbound requests or accessing internal-only endpoints. Publicly available exploit code exists (GitHub Security Advisory GHSA-hm5p-x4rq-38w4), and the CVSS E:P modifier confirms proof-of-concept exploitation. Vendor-released patch is available via commit 0529bcd, though a tagged release version is not confirmed from provided data. EPSS data not provided, but SSRF vulnerabilities targeting API libraries typically see exploitation within weeks of public disclosure due to their prevalence in cloud-native environments.
httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Server-Side Request Forgery (SSRF) in HTTParty 0.23.2 and earlier enables remote unauthenticated attackers to force the application to make arbitrary HTTP requests to internal network resources and third-party services, potentially leaking API keys and credentials embedded in outbound requests or accessing internal-only endpoints. Publicly available exploit code exists (GitHub Security Advisory GHSA-hm5p-x4rq-38w4), and the CVSS E:P modifier confirms proof-of-concept exploitation. Vendor-released patch is available via commit 0529bcd, though a tagged release version is not confirmed from provided data. EPSS data not provided, but SSRF vulnerabilities targeting API libraries typically see exploitation within weeks of public disclosure due to their prevalence in cloud-native environments.
httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.