CVE-2024-22049
multipart/form-data request tampering vulnerability vulnerability in httparty (RubyGems)

multipart/form-data request tampering vulnerability No known exploit

What is CVE-2024-22049 About?

This vulnerability involves tampering with multipart/form-data requests due to a lack of escaping in the `filename` attribute within the `Content-Disposition` header. This flaw can lead to attacker-controlled field remapping or filename extension rewriting on the receiving server. Exploitation is relatively easy as it leverages improper input sanitization during multipart content generation.

Affected Software

httparty <0.21.0

Technical Details

The vulnerability stems from the httparty library's generate_multipart method failing to properly escape double-quote (") characters in the filename attribute of the Content-Disposition header. An attacker can craft a malicious filename containing a double-quote, which is then unescaped and interpreted by the receiving server as a new attribute. For example, by providing a filename like overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt, the generated Content-Disposition header will include filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt". This can lead to duplicate name fields (e.g., avatar and foo) or allow an attacker to rewrite the file extension from .txt to .sh, depending on how the server-side parser handles such malformed headers. Common frameworks like Spring, Ktor, and Ruby on Rails are confirmed to be susceptible, allowing for various forms of request tampering.

What is the Impact of CVE-2024-22049?

Successful exploitation may allow attackers to manipulate form data fields and file extensions during multipart/form-data processing, potentially leading to unauthorized data modification, file subversion, or other logic flaws on vulnerable server-side applications.

What is the Exploitability of CVE-2024-22049?

Exploitation requires the attacker to submit a crafted filename in a multipart/form-data request. The complexity is low as it's an input sanitization bypass, relying on a specific character being unescaped. No authentication is strictly required, although the attacker would need the ability to submit form data to the vulnerable application. Privilege requirements are typically those of a standard user interacting with a web form. This is a remote vulnerability, as the attack is initiated by sending a malformed HTTP request. A specific constraint is that the operating system used by the attacker must allow filenames containing double-quotes for the PoC to directly replicate, though the underlying vulnerability is in how the Content-Disposition header is formed. The likelihood of exploitation increases if the application uses the httparty library and does not properly sanitize generated multipart content, especially if the server-side parsing allows for attribute injection via unescaped characters.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2024-22049?

Available Upgrade Options

  • httparty
    • <0.21.0 → Upgrade to 0.21.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-22049?

Similar Vulnerabilities: CVE-2015-8931 , CVE-2013-0245 , CVE-2019-15525 , CVE-2021-39181 , CVE-2021-39182

All Rights reserved 2025
Privacy Policy