Fluid Attacks Database

Description

httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	httparty	>=0 <0.24.0	0.24.0
debian 13	ruby-httparty	=0.21.0-1 \|\| =0.24.2-1 \|\| =0.24.2-2	-
debian 14	ruby-httparty	=0.21.0-1 \|\| >=0 <0.24.2-1	0.24.2-1
debian 12	ruby-httparty	=0.21.0-1 \|\| =0.24.2-1 \|\| =0.24.2-2	-
debian 11	ruby-httparty	=0.18.1-2 \|\| =0.18.1-2+deb11u1 \|\| =0.18.1-3 \|\| =0.20.0-1 \|\| =0.20.0-2 \|\| =0.21.0-1 \|\| =0.24.2-1 \|\| =0.24.2-2	-

Aliases

1. CVE-2025-686962. NVD-2025-686963. OSV-2025-686964. OSV-DEBIAN-2025-686965. GHSA-hm5p-x4rq-38w46. GCVE-2025-686967. SECURITY-TRACKER-CVE-2025-68696

References

1. https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w42. https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c2403. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/httparty/CVE-2025-68696.yml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.