Login Sign Up

CVE-2025-68696

8.2 HIGH
SSRF

📋 TL;DR

CVE-2025-68696 is a Server-Side Request Forgery (SSRF) vulnerability in the httparty Ruby gem that allows attackers to make unauthorized requests to internal servers. This can lead to API key leakage and unauthorized access to internal systems. All applications using httparty versions 0.23.2 and earlier are affected.

💻 Affected Systems

Products:
  • httparty Ruby gem
Versions: 0.23.2 and prior
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any Ruby application using httparty with user-controlled URLs is vulnerable. The vulnerability exists in the default configuration.

📦 What is this software?

Httparty by Jnunemaker

View all CVEs affecting Httparty →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive internal systems, steal API keys and credentials, and pivot to compromise the entire internal network infrastructure.

🟠

Likely Case

Attackers could exfiltrate API keys and make unauthorized requests to internal APIs, potentially accessing sensitive data or performing unauthorized actions.

🟢

If Mitigated

With proper network segmentation and input validation, impact would be limited to the specific application's network context.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SSRF vulnerabilities are commonly exploited and require minimal technical skill when user input controls URL parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.23.3 or later

Vendor Advisory: https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4

Restart Required: Yes

Instructions:

1. Update Gemfile to specify 'gem "httparty", ">= 0.23.3"' 2. Run 'bundle update httparty' 3. Restart your application server

🔧 Temporary Workarounds

Input validation and URL whitelisting

all

Implement strict validation of user-supplied URLs to only allow external, non-internal addresses

Network egress filtering

all

Configure firewalls to restrict outbound connections from application servers to only necessary external services

🧯 If You Can't Patch

  • Implement strict input validation to reject URLs containing internal IP addresses or localhost
  • Deploy network segmentation to isolate application servers from sensitive internal systems

🔍 How to Verify

Check if Vulnerable:

Check your Gemfile.lock or run 'bundle show httparty' to see the installed version

Check Version:

bundle show httparty | grep -o "httparty.*"

Verify Fix Applied:

After updating, verify the version is 0.23.3 or higher with 'bundle show httparty'

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from application servers to internal IP ranges
  • Requests to localhost or 127.0.0.1 from httparty

Network Indicators:

  • HTTP traffic from application servers to internal IP addresses not in whitelist
  • Requests to metadata services (169.254.169.254)

SIEM Query:

source="application.log" AND "httparty" AND (destination_ip=10.0.0.0/8 OR destination_ip=172.16.0.0/12 OR destination_ip=192.168.0.0/16 OR destination_ip=127.0.0.1)

📊 Metadata

CVE ID: CVE-2025-68696
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE: CWE-918
EPSS Score: 0.06% exploit probability (18th percentile)
Published: December 23, 2025
Last Updated: January 7, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68696, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)