VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-8d5e-zyuy-53g3

Essentials
Severities (20)
References (8)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-8d5e-zyuy-53g3
Aliases	CVE-2026-33637 GHSA-5rv5-xj5j-3484
Summary	Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2 - protocol-relative URI objects still bypass host scoping ## Summary `Faraday::Connection#build_exclusive_url` still allows protocol-relative host override when the request target is provided as a `URI` object instead of a `String`. This bypasses the February 2026 fix for `GHSA-33mh-2634-fwr2` and can redirect a request built from a fixed-base `Faraday::Connection` to an attacker-controlled host while preserving connection-scoped headers such as `Authorization`. ## Supporting Materials - Existing advisory for the original string-based issue: GHSA-33mh-2634-fwr2 - Existing CVE for the original string-based issue: CVE-2026-25765 - Existing regression tests for the string-only fix: - spec/faraday/connection_spec.rb:314-345 - Existing test proving supported URI request input: - spec/faraday/request_spec.rb:26-31 ## Impact The direct consequence is off-host request forgery from code paths that believe they are constrained to a fixed base URL. If the connection carries default headers or query parameters, those values are forwarded to the attacker-selected host.
Status	Published
Exploitability	0.5
Weighted Severity	5.9
Risk	3.0
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-918

Server-Side Request Forgery (SSRF)

System	Score	Found at
epss	0.0001	https://api.first.org/data/v1/epss?cve=CVE-2026-33637
epss	0.0001	https://api.first.org/data/v1/epss?cve=CVE-2026-33637
epss	0.0001	https://api.first.org/data/v1/epss?cve=CVE-2026-33637
cvssv3.1	0	https://github.com/advisories/GHSA-33mh-2634-fwr2
cvssv3.1	0.0	https://github.com/advisories/GHSA-33mh-2634-fwr2
generic_textual	LOW	https://github.com/advisories/GHSA-33mh-2634-fwr2
ssvc	Track	https://github.com/advisories/GHSA-33mh-2634-fwr2
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-5rv5-xj5j-3484
cvssv3.1	0.0	https://github.com/lostisland/faraday
generic_textual	LOW	https://github.com/lostisland/faraday
cvssv3.1	0	https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
cvssv3.1	0.0	https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
cvssv3.1_qr	LOW	https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
generic_textual	LOW	https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
ssvc	Track	https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
cvssv3.1	0.0	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-33637.yml
generic_textual	LOW	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-33637.yml
cvssv3	6.5	https://nvd.nist.gov/vuln/detail/CVE-2026-33637
cvssv3.1	0.0	https://nvd.nist.gov/vuln/detail/CVE-2026-33637
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2026-33637

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-33637
		https://github.com/lostisland/faraday
		https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-33637.yml
		https://nvd.nist.gov/vuln/detail/CVE-2026-33637
1137212		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137212
GHSA-33mh-2634-fwr2		https://github.com/advisories/GHSA-33mh-2634-fwr2
GHSA-5rv5-xj5j-3484		https://github.com/advisories/GHSA-5rv5-xj5j-3484

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N Found at https://github.com/advisories/GHSA-33mh-2634-fwr2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N Found at https://github.com/advisories/GHSA-33mh-2634-fwr2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-19T18:36:58Z/ Found at https://github.com/advisories/GHSA-33mh-2634-fwr2

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N Found at https://github.com/lostisland/faraday

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N Found at https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N Found at https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-19T18:36:58Z/ Found at https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-33637.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-33637

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.01311
EPSS Score	0.0001
Published At	June 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T16:14:41.709254+00:00	Ruby Importer	Import	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-33637.yml	38.6.0