httparty 0.15.0

2 security vulnerabilities found in version 0.15.0

httparty has multipart/form-data request tampering vulnerability

medium severity GHSA-5pq7-52mg-hr42
medium severity GHSA-5pq7-52mg-hr42
Patched versions: >= 0.21.0

"multipart/form-data request tampering vulnerability" caused by Content-Disposition "filename" lack of escaping in httparty.

httparty/lib/httparty/request > body.rb > def generate_multipart

https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43

By exploiting this problem, the following attacks are possible

  • An attack that rewrites the "name" field according to the crafted file name, impersonating (overwriting) another field.
  • Attacks that rewrite the filename extension at the time multipart/form-data is generated by tampering with the filename.

httparty has multipart/form-data request tampering vulnerability

medium severity CVE-2024-22049
medium severity CVE-2024-22049
Patched versions: >= 0.21.0

HTTP multipart/form-data request tampering vulnerability in httparty < 0.20.0, due to lack of proper escaping of double quotes within the filename attribute of the Content-Disposition header. If the Content-Disposition header is set to "form-data" and contains the "filename" attribute, and the "filename" attribute contains a double quote followed by additional attributes, then those attributes will be parsed as Content-Disposition attributes and will override the Content-Disposition header's previous attributes.

Content-Disposition: form-data; name="avatar"; filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt"

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.