CVE-2026-25765

MEDIUM

Rubygems Faraday < 2.14.1 - SSRF

Title source: rule

Description

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2

Patch x_refsource_misc

https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc

View Patch ZIP pw:eip

Release Notes x_refsource_misc

https://github.com/lostisland/faraday/releases/tag/v2.14.1

Scores

CVSS v3 5.8

EPSS 0.0002

EPSS Percentile 5.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (2)

faraday_project/faraday 1.0.0 - 1.10.5

rubygems/faraday 2.0.0 - 2.14.1RubyGems

Published Feb 09, 2026

Tracked Since Feb 18, 2026