CVE-2026-33637

NONE

Faraday: Protocol-relative URI objects still bypass host scoping (possible incomplete fix for GHSA-33mh-2634-fwr2)

Title source: cna

Description

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object (rather than a String) to Faraday::Connection#build_exclusive_url. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and enables off-host request forgery: a request built from a fixed-base Faraday::Connection can be redirected to an attacker-controlled host, forwarding connection-scoped values such as Authorization headers and default query parameters. This issue has been fixed in version 2.14.3.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484

X_Refsource_Misc x_refsource_misc

https://github.com/advisories/GHSA-33mh-2634-fwr2

Scores

CVSS v3 0.0

EPSS 0.0027

EPSS Percentile 18.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (3)

faraday_project/faraday 2.0.0 - 2.14.2

lostisland/faraday >= 2.0.0, <= 2.14.2

rubygems/faraday 2.0.0 - 2.14.2RubyGems

Published May 19, 2026

Tracked Since May 19, 2026