logo

Database

Server-side request forgery (SSRF) In ruby-faraday

Description

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-257652. NVD-2026-257653. OSV-DEBIAN-2026-257654. OSV-2026-257655. GHSA-33mh-2634-fwr26. GCVE-2026-257657. SECURITY-TRACKER-CVE-2026-25765

References

1. https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr22. https://github.com/lostisland/faraday/pull/15693. https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc4. https://github.com/lostisland/faraday/releases/tag/v1.10.55. https://github.com/lostisland/faraday/releases/tag/v2.14.16. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-25765.yml7. https://www.rfc-editor.org/rfc/rfc3986#section-5.2.28. https://www.rfc-editor.org/rfc/rfc3986#section-5.4

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.