http is vulnerable to Server-Side Request Forgery (SSRF)
81
High Risk
HTTP::Request::Builder#make_request_uri resolves caller-supplied URI arguments against a configured base_uri or persistent origin without sanitizing protocol-relative inputs. A path argument beginning with // is treated as a network-path reference during URI resolution, allowing the host component to be overridden by the attacker-supplied value. This redirects the request to an attacker-chosen host, and because connection-scoped headers such as those set by HTTP.auth(...) are attached to the outgoing request, their contents are disclosed to that host. The fix rewrites leading // to a relative path before resolution so the configured origin cannot be overridden.
You are affected if you are using a version that falls within the vulnerable range and your application uses a configured base_uri or persistent connection and passes untrusted or externally supplied values as the URI argument to request methods.
http is vulnerable to Server-Side Request Forgery (SSRF) in versions 0.8.0 - 6.0.3.
Upgrade the http library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant