← back
CVE-2024-22049

httparty Multipart/Form-Data Request Tampering Vulnerability

CVSS 5.3 MEDIUMEPSS 1.3%CWE-472
In short

HTTParty, a popular Ruby library for making HTTP requests, has a vulnerability where attackers can manipulate uploaded filenames during file uploads. By crafting a malicious filename in multipart requests, an attacker could cause files to be saved with names they control, potentially overwriting important files or executing malicious code.

Technical detail

HTTParty versions prior to 0.21.0 fail to properly validate and sanitize filename parameters in multipart/form-data requests, allowing unauthenticated remote attackers to inject arbitrary filenames. An attacker can craft a multipart upload request with a malicious filename parameter that gets written to the filesystem as-is, potentially leading to arbitrary file write or path traversal impacts depending on server-side handling.

Summary generated and translated by AI from the official description.
httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products
httparty

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/advisories/GHSA-5pq7-52mg-hr42https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8ehttps://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42https://lists.debian.org/debian-lts-announce/2024/01/msg00011.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00043.htmlhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42