VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-dg9z-j2d6-3yav

Essentials
Severities (20)
References (8)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-dg9z-j2d6-3yav
Aliases	CVE-2026-33637 GHSA-5rv5-xj5j-3484
Summary	Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object (rather than a String) to Faraday::Connection#build_exclusive_url. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and enables off-host request forgery: a request built from a fixed-base Faraday::Connection can be redirected to an attacker-controlled host, forwarding connection-scoped values such as Authorization headers and default query parameters. This issue has been fixed in version 2.14.3.
Status	Published
Exploitability	0.5
Weighted Severity	5.9
Risk	3.0
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-918

Server-Side Request Forgery (SSRF)

System	Score	Found at
epss	0.0001	https://api.first.org/data/v1/epss?cve=CVE-2026-33637
epss	0.0001	https://api.first.org/data/v1/epss?cve=CVE-2026-33637
epss	0.0001	https://api.first.org/data/v1/epss?cve=CVE-2026-33637
cvssv3.1	0	https://github.com/advisories/GHSA-33mh-2634-fwr2
cvssv3.1	0.0	https://github.com/advisories/GHSA-33mh-2634-fwr2
generic_textual	LOW	https://github.com/advisories/GHSA-33mh-2634-fwr2
ssvc	Track	https://github.com/advisories/GHSA-33mh-2634-fwr2
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-5rv5-xj5j-3484
cvssv3.1	0.0	https://github.com/lostisland/faraday
generic_textual	LOW	https://github.com/lostisland/faraday
cvssv3.1	0	https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
cvssv3.1	0.0	https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
cvssv3.1_qr	LOW	https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
generic_textual	LOW	https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
ssvc	Track	https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
cvssv3.1	0.0	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-33637.yml
generic_textual	LOW	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-33637.yml
cvssv3	6.5	https://nvd.nist.gov/vuln/detail/CVE-2026-33637
cvssv3.1	0.0	https://nvd.nist.gov/vuln/detail/CVE-2026-33637
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2026-33637

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-33637
		https://github.com/lostisland/faraday
1137212		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137212
CVE-2026-33637		https://nvd.nist.gov/vuln/detail/CVE-2026-33637
CVE-2026-33637.YML		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-33637.yml
GHSA-33mh-2634-fwr2		https://github.com/advisories/GHSA-33mh-2634-fwr2
GHSA-5rv5-xj5j-3484		https://github.com/advisories/GHSA-5rv5-xj5j-3484
GHSA-5rv5-xj5j-3484		https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N Found at https://github.com/advisories/GHSA-33mh-2634-fwr2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N Found at https://github.com/advisories/GHSA-33mh-2634-fwr2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-19T18:36:58Z/ Found at https://github.com/advisories/GHSA-33mh-2634-fwr2

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N Found at https://github.com/lostisland/faraday

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N Found at https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N Found at https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-19T18:36:58Z/ Found at https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-33637.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-33637

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.01306
EPSS Score	0.0001
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:49:35.323624+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2026/33xxx/CVE-2026-33637.json	38.6.0