CVE-2026-25765

NameCVE-2026-25765
DescriptionFaraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-faraday (PTS)bullseye1.1.0-6vulnerable
bookworm1.1.0-7vulnerable
trixie2.12.2-1vulnerable
forky, sid2.14.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-faradaysource(unstable)2.14.1-1

Notes

[trixie] - ruby-faraday <no-dsa> (Minor issue)
[bookworm] - ruby-faraday <no-dsa> (Minor issue)
[bullseye] - ruby-faraday <postponed> (Minor issue)
https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2
Fixed by: https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc (v2.14.1)
Search for package or bug name: Reporting problems