{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68696", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-23T17:11:35.076Z", "datePublished": "2025-12-23T22:59:04.201Z", "dateUpdated": "2025-12-24T14:31:58.017Z"}, "containers": {"cna": {"title": "httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4"}, {"name": "https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240", "tags": ["x_refsource_MISC"], "url": "https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240"}], "affected": [{"vendor": "jnunemaker", "product": "httparty", "versions": [{"version": "<= 0.23.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-23T22:59:04.201Z"}, "descriptions": [{"lang": "en", "value": "httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd."}], "source": {"advisory": "GHSA-hm5p-x4rq-38w4", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-24T14:31:55.287593Z", "id": "CVE-2025-68696", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-24T14:31:58.017Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68696", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-24T14:31:55.287593Z"}}}], "references": [{"url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-24T14:31:44.582Z"}}], "cna": {"title": "httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage", "source": {"advisory": "GHSA-hm5p-x4rq-38w4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "jnunemaker", "product": "httparty", "versions": [{"status": "affected", "version": "<= 0.23.2"}]}], "references": [{"url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4", "name": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240", "name": "https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-23T22:59:04.201Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68696", "state": "PUBLISHED", "dateUpdated": "2025-12-24T14:31:58.017Z", "dateReserved": "2025-12-23T17:11:35.076Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-12-23T22:59:04.201Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jnunemaker:httparty:*:*:*:*:*:*:*:*", "matchCriteriaId": "CA99A6FB-466F-4070-933D-CF6CEFB6111E", "versionEndExcluding": "0.24.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd."}], "id": "CVE-2025-68696", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-12-23T23:15:45.627", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "httparty: Httparty: Server-Side Request Forgery (SSRF) allows information disclosure and unauthorized internal access.", "id": "2424798", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2424798"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-918", "details": ["A flaw was found in httparty, an API tool. This Server-Side Request Forgery (SSRF) vulnerability allows an attacker to trick the server into making requests to internal resources or other external domains on their behalf. This can lead to the disclosure of sensitive information, such as API keys, and enable unauthorized access to internal servers."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-68696", "public_date": "2025-12-23T22:59:04Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-68696\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68696\nhttps://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240\nhttps://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4"], "statement": "This vulnerability is rated Important for Red Hat as it affects `rubygem-httparty` in Fedora. The Server-Side Request Forgery (SSRF) flaw in `httparty` versions 0.23.2 and prior could lead to the leakage of API keys and allow unauthorized requests to internal servers. This impacts applications utilizing `httparty` for API interactions within the Red Hat ecosystem.", "threat_severity": "Important"}

{"created": "2025-12-24T11:51:40.865772+00:00", "updated": "2025-12-24T11:51:40.865807+00:00", "vendors": ["john_nunemaker", "john_nunemaker$PRODUCT$httparty"]}