Intel

AIKIDO-2026-749330

http is vulnerable to Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF)GHSA-r98x-p6m8-xcrv Published Today

81

High Risk

This Affects:

RUBYhttp
0.8.0 - 6.0.3
Fixed in 6.0.4
Are you affected? Scan for Free

TL;DR

HTTP::Request::Builder#make_request_uri resolves caller-supplied URI arguments against a configured base_uri or persistent origin without sanitizing protocol-relative inputs. A path argument beginning with // is treated as a network-path reference during URI resolution, allowing the host component to be overridden by the attacker-supplied value. This redirects the request to an attacker-chosen host, and because connection-scoped headers such as those set by HTTP.auth(...) are attached to the outgoing request, their contents are disclosed to that host. The fix rewrites leading // to a relative path before resolution so the configured origin cannot be overridden.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses a configured base_uri or persistent connection and passes untrusted or externally supplied values as the URI argument to request methods.

Background info

http is vulnerable to Server-Side Request Forgery (SSRF) in versions 0.8.0 - 6.0.3.

How to fix this

Upgrade the http library to the patch version.