CVE-2026-33637
Description
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object (rather than a String) to Faraday::Connection#build_exclusive_url. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and enables off-host request forgery: a request built from a fixed-base Faraday::Connection can be redirected to an attacker-controlled host, forwarding connection-scoped values such as Authorization headers and default query parameters. This issue has been fixed in version 2.14.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
faradayRubyGems | >= 2.0.0, < 2.14.2 | 2.14.2 |
Affected products
46- Range: >= 2.0.0, <= 2.14.1
- osv-coords44 versionspkg:apk/chainguard/cinc-auditorpkg:apk/chainguard/gitlab-exporter-18.11pkg:apk/chainguard/gitlab-exporter-19.0pkg:apk/chainguard/gitlab-exporter-19.1pkg:apk/chainguard/gitlab-rails-ce-18.11pkg:apk/chainguard/gitlab-rails-ce-fips-18.11pkg:apk/chainguard/gitlab-rails-ce-fips-19.0pkg:apk/chainguard/kube-fluentd-operatorpkg:apk/chainguard/logstash-8.19pkg:apk/chainguard/logstash-8.19-iamguarded-compatpkg:apk/chainguard/logstash-8.19-with-output-opensearchpkg:apk/chainguard/logstash-9.0pkg:apk/chainguard/logstash-9.0-iamguarded-compatpkg:apk/chainguard/logstash-9.0-with-output-opensearchpkg:apk/chainguard/logstash-9.1pkg:apk/chainguard/logstash-9.1-bitnami-compatpkg:apk/chainguard/logstash-9.1-iamguarded-compatpkg:apk/chainguard/logstash-9.1-with-output-opensearchpkg:apk/chainguard/logstash-9.2pkg:apk/chainguard/logstash-9.2-iamguarded-compatpkg:apk/chainguard/logstash-9.2-with-output-opensearchpkg:apk/chainguard/logstash-9.3pkg:apk/chainguard/logstash-9.3-iamguarded-compatpkg:apk/chainguard/logstash-9.4pkg:apk/chainguard/logstash-9.4-iamguarded-compatpkg:apk/chainguard/logstash-fips-9.4pkg:apk/chainguard/logstash-fips-9.4-iamguarded-compatpkg:apk/chainguard/ruby3.2-kube-logging-operator-fluentd-outputspkg:apk/chainguard/ruby3.4-kube-logging-operator-fluentd-outputspkg:apk/wolfi/cinc-auditorpkg:apk/wolfi/kube-fluentd-operatorpkg:apk/wolfi/logstash-9.1pkg:apk/wolfi/logstash-9.1-bitnami-compatpkg:apk/wolfi/logstash-9.1-iamguarded-compatpkg:apk/wolfi/logstash-9.1-with-output-opensearchpkg:apk/wolfi/logstash-9.2pkg:apk/wolfi/logstash-9.2-iamguarded-compatpkg:apk/wolfi/logstash-9.2-with-output-opensearchpkg:apk/wolfi/logstash-9.3pkg:apk/wolfi/logstash-9.3-iamguarded-compatpkg:apk/wolfi/logstash-9.4pkg:apk/wolfi/logstash-9.4-iamguarded-compatpkg:apk/wolfi/ruby3.2-kube-logging-operator-fluentd-outputspkg:apk/wolfi/ruby3.4-kube-logging-operator-fluentd-outputs
< 7.1.7-r0+ 43 more
- (no CPE)range: < 7.1.7-r0
- (no CPE)range: < 18.11.5-r2
- (no CPE)range: < 19.0.2-r1
- (no CPE)range: < 19.1.1-r3
- (no CPE)range: < 18.11.5-r2
- (no CPE)range: < 18.11.5-r2
- (no CPE)range: < 19.0.2-r2
- (no CPE)range: < 1.18.2-r70
- (no CPE)range: < 8.19.15-r1
- (no CPE)range: < 8.19.15-r1
- (no CPE)range: < 8.19.15-r1
- (no CPE)range: < 9.0.8-r23
- (no CPE)range: < 9.0.8-r23
- (no CPE)range: < 9.0.8-r23
- (no CPE)range: < 9.1.10-r8
- (no CPE)range: < 9.1.10-r8
- (no CPE)range: < 9.1.10-r8
- (no CPE)range: < 9.1.10-r8
- (no CPE)range: < 9.2.8-r4
- (no CPE)range: < 9.2.8-r4
- (no CPE)range: < 9.2.8-r4
- (no CPE)range: < 9.3.4-r4
- (no CPE)range: < 9.3.4-r4
- (no CPE)range: < 9.4.1-r2
- (no CPE)range: < 9.4.1-r2
- (no CPE)range: < 9.4.1-r2
- (no CPE)range: < 9.4.1-r2
- (no CPE)range: < 6.5.2-r0
- (no CPE)range: < 6.5.2-r0
- (no CPE)range: < 7.1.7-r0
- (no CPE)range: < 1.18.2-r70
- (no CPE)range: < 9.1.10-r8
- (no CPE)range: < 9.1.10-r8
- (no CPE)range: < 9.1.10-r8
- (no CPE)range: < 9.1.10-r8
- (no CPE)range: < 9.2.8-r4
- (no CPE)range: < 9.2.8-r4
- (no CPE)range: < 9.2.8-r4
- (no CPE)range: < 9.3.4-r4
- (no CPE)range: < 9.3.4-r4
- (no CPE)range: < 9.4.1-r2
- (no CPE)range: < 9.4.1-r2
- (no CPE)range: < 6.5.2-r0
- (no CPE)range: < 6.5.2-r0
Patches
Vulnerability mechanics
References
5- github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-33mh-2634-fwr2nvdVendor AdvisoryADVISORY
- github.com/advisories/GHSA-5rv5-xj5j-3484ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33637ghsaADVISORY
- github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-33637.ymlghsaWEB
News mentions
0No linked articles in our index yet.