HTTParty Server-Side Request Forgery Vulnerability Allowing API Key Leakage

A server-side request forgery (SSRF) vulnerability has been identified in HTTParty versions through 0.23.2. This issue allows attackers to send requests to internal servers, potentially leading to the leakage of API keys and other sensitive information. The vulnerability arises because HTTParty does not validate absolute URLs in the path parameter when a base URI is set, allowing malicious users to redirect requests to unintended hosts.

Impact

Exploitation of this vulnerability could result in unauthorized requests being sent to internal servers, with the potential to capture API keys or other sensitive headers. This behavior could be exploited to access internal resources or services that are not exposed to the public internet.

Reproduction

To reproduce this vulnerability, send a request to an endpoint that uses HTTParty and includes an absolute URL in the path parameter. Ensure that the base URI is configured to a different host. HTTParty will bypass the base URI validation and send the request to the malicious host instead of the intended one.

Remediation

Users can update to HTTParty versions through 0.23.2, where this vulnerability has been patched. The update includes a validation that raises an error for absolute URLs with different hosts, preventing the SSRF attack.