rubysec · jasnow · Nov 11, 2025 · postmodern · Nov 12, 2025 · postmodern
diff --git a/gems/httparty/CVE-2024-22049.yml b/gems/httparty/CVE-2024-22049.yml
@@ -16,6 +16,21 @@ description: |
 
       Content-Disposition: form-data; name="avatar"; filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt"
 
+  ## GHSA version of Description
+
+  "multipart/form-data request tampering vulnerability"
+  caused by Content-Disposition "filename" lack of escaping in httparty.
+
+  `httparty/lib/httparty/request` > `body.rb` > `def generate_multipart`
+
+  https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
+
+  By exploiting this problem, the following attacks are possible
+
+  * An attack that rewrites the \"name\" field according to the
+    crafted file name, impersonating (overwriting) another field.
+  * Attacks that rewrite the filename extension at the time
+    multipart/form-datais generated by tampering with the filename.
 cvss_v3: 6.5
 patched_versions:
   - ">= 0.21.0"
@@ -25,4 +40,5 @@ related:
     - https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
     - https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e
     - https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
+    - https://bugzilla.mozilla.org/show_bug.cgi?id=1556711
     - https://github.com/advisories/GHSA-5pq7-52mg-hr42
diff --git a/gems/httparty/GHSA-5pq7-52mg-hr42.yml b/gems/httparty/GHSA-5pq7-52mg-hr42.yml