CVE-2024-22049

Name of the Vulnerable Software and Affected Versions httparty versions prior to 0.21.0

Description A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads, which could result in attacker-controlled filenames being written. This issue is caused by the lack of escaping of the " (Double-Quote) character in Content-Disposition > filename. The vulnerability can be exploited to rewrite the "name" field and filename extension, potentially leading to successful or unsuccessful attacks depending on the behavior of the parser receiving the request. The issue has been confirmed to affect frameworks such as Spring, Ktor, and Ruby on Rails.

Recommendations To resolve the issue, update httparty to version 0.21.0 or later. As a temporary workaround, consider modifying the Content-Disposition header to properly escape the " (Double-Quote) character in filenames, for example, by replacing " with %22. Additionally, URL encoding of r and characters in filenames can provide extra safety.