Bug 2424798 (CVE-2025-68696)

Summary: CVE-2025-68696 httparty: Httparty: Server-Side Request Forgery (SSRF) allows information disclosure and unauthorized internal access.
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in httparty, an API tool. This Server-Side Request Forgery (SSRF) vulnerability allows an attacker to trick the server into making requests to internal resources or other external domains on their behalf. This can lead to the disclosure of sensitive information, such as API keys, and enable unauthorized access to internal servers.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2424826, 2424827    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-24 00:01:18 UTC 
httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd.