Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Description
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
faradayRubyGems | >= 2.0.0, < 2.14.1 | 2.14.1 |
faradayRubyGems | >= 1.0.0, < 1.10.5 | 1.10.5 |
Affected products
41- osv-coords40 versionspkg:apk/chainguard/cinc-auditorpkg:apk/chainguard/gitlab-cng-18.9pkg:apk/chainguard/gitlab-exporter-18.9pkg:apk/chainguard/gitlab-rails-ce-18.11pkg:apk/chainguard/gitlab-rails-ce-fips-18.11pkg:apk/chainguard/kube-fluentd-operatorpkg:apk/chainguard/kube-logging-operator-fluentd-outputspkg:apk/chainguard/logstash-8.17pkg:apk/chainguard/logstash-8.17-iamguarded-compatpkg:apk/chainguard/logstash-8.17-with-output-opensearchpkg:apk/chainguard/logstash-8.19pkg:apk/chainguard/logstash-8.19-iamguarded-compatpkg:apk/chainguard/logstash-8.19-with-output-opensearchpkg:apk/chainguard/logstash-9.0pkg:apk/chainguard/logstash-9.0-iamguarded-compatpkg:apk/chainguard/logstash-9.0-with-output-opensearchpkg:apk/chainguard/logstash-9.1pkg:apk/chainguard/logstash-9.1-bitnami-compatpkg:apk/chainguard/logstash-9.1-iamguarded-compatpkg:apk/chainguard/logstash-9.1-with-output-opensearchpkg:apk/chainguard/logstash-9.2pkg:apk/chainguard/logstash-9.2-iamguarded-compatpkg:apk/chainguard/logstash-9.2-with-output-opensearchpkg:apk/chainguard/logstash-9.3pkg:apk/chainguard/logstash-9.3-iamguarded-compatpkg:apk/chainguard/logstash-9.3-with-output-opensearchpkg:apk/wolfi/cinc-auditorpkg:apk/wolfi/kube-fluentd-operatorpkg:apk/wolfi/kube-logging-operator-fluentd-outputspkg:apk/wolfi/logstash-9.1pkg:apk/wolfi/logstash-9.1-bitnami-compatpkg:apk/wolfi/logstash-9.1-iamguarded-compatpkg:apk/wolfi/logstash-9.1-with-output-opensearchpkg:apk/wolfi/logstash-9.2pkg:apk/wolfi/logstash-9.2-iamguarded-compatpkg:apk/wolfi/logstash-9.2-with-output-opensearchpkg:apk/wolfi/logstash-9.3pkg:apk/wolfi/logstash-9.3-iamguarded-compatpkg:apk/wolfi/logstash-9.3-with-output-opensearchpkg:gem/faraday
< 7.0.95-r6+ 39 more
- (no CPE)range: < 7.0.95-r6
- (no CPE)range: < 18.9.1-r0
- (no CPE)range: < 18.9.5-r0
- (no CPE)range: < 18.11.5-r2
- (no CPE)range: < 18.11.5-r2
- (no CPE)range: < 1.18.2-r60
- (no CPE)range: < 6.3.2-r3
- (no CPE)range: < 8.17.10-r12
- (no CPE)range: < 8.17.10-r12
- (no CPE)range: < 8.17.10-r12
- (no CPE)range: < 8.19.11-r1
- (no CPE)range: < 8.19.11-r1
- (no CPE)range: < 8.19.11-r1
- (no CPE)range: < 9.0.8-r11
- (no CPE)range: < 9.0.8-r11
- (no CPE)range: < 9.0.8-r11
- (no CPE)range: < 9.1.10-r1
- (no CPE)range: < 9.1.10-r1
- (no CPE)range: < 9.1.10-r1
- (no CPE)range: < 9.1.10-r1
- (no CPE)range: < 9.2.5-r1
- (no CPE)range: < 9.2.5-r1
- (no CPE)range: < 9.2.5-r1
- (no CPE)range: < 9.3.1-r0
- (no CPE)range: < 9.3.1-r0
- (no CPE)range: < 9.3.1-r0
- (no CPE)range: < 7.0.95-r6
- (no CPE)range: < 1.18.2-r60
- (no CPE)range: < 6.3.2-r3
- (no CPE)range: < 9.1.10-r1
- (no CPE)range: < 9.1.10-r1
- (no CPE)range: < 9.1.10-r1
- (no CPE)range: < 9.1.10-r1
- (no CPE)range: < 9.2.5-r1
- (no CPE)range: < 9.2.5-r1
- (no CPE)range: < 9.2.5-r1
- (no CPE)range: < 9.3.1-r0
- (no CPE)range: < 9.3.1-r0
- (no CPE)range: < 9.3.1-r0
- (no CPE)range: >= 2.0.0, < 2.14.1
- Range: < 2.14.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-33mh-2634-fwr2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25765ghsaADVISORY
- github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bcghsax_refsource_MISCWEB
- github.com/lostisland/faraday/pull/1569ghsaWEB
- github.com/lostisland/faraday/releases/tag/v1.10.5ghsaWEB
- github.com/lostisland/faraday/releases/tag/v2.14.1ghsax_refsource_MISCWEB
- github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-25765.ymlghsaWEB
- www.rfc-editor.org/rfc/rfc3986ghsaWEB
- www.rfc-editor.org/rfc/rfc3986ghsaWEB
News mentions
0No linked articles in our index yet.