anonhaven
Ad

CVE-2026-25765

MEDIUM CVSS 3.1: 5.8 EPSS 0.01%
Updated Feb 09, 2026
Ruby
Parameter Value
CVSS 5.8 (MEDIUM)
Fixed In 2.14.1
Type CWE-918 (Server-Side Request Forgery (SSRF))
Vendor Ruby
Public PoC No

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

References 3

https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef…
security-advisories@github.com
https://github.com/lostisland/faraday/releases/tag/v2.14.1
security-advisories@github.com
https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-31830

Ruby

7.5

CVE-2026-27635

Ruby

7.5

CVE-2026-27614

Ruby

9.3

CVE-2026-2302

Ruby

6.9

CVE-2026-25757

Ruby

7.7