CVE-2026-33637

NameCVE-2026-33637
DescriptionFaraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object (rather than a String) to Faraday::Connection#build_exclusive_url. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and enables off-host request forgery: a request built from a fixed-base Faraday::Connection can be redirected to an attacker-controlled host, forwarding connection-scoped values such as Authorization headers and default query parameters. This issue has been fixed in version 2.14.3.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1137212

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-faraday (PTS)bullseye1.1.0-6fixed
bookworm1.1.0-7fixed
trixie2.12.2-1fixed
forky, sid2.14.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-faradaysourcebullseye(not affected)
ruby-faradaysourcebookworm(not affected)
ruby-faradaysourcetrixie(not affected)
ruby-faradaysource(unstable)(unfixed)1137212

Notes

[trixie] - ruby-faraday <not-affected> (Incomplete fix for CVE-2026-25765 not applied)
[bookworm] - ruby-faraday <not-affected> (Incomplete fix for CVE-2026-25765 not applied)
[bullseye] - ruby-faraday <not-affected> (Incomplete fix for CVE-2026-25765 not applied)
https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
https://github.com/lostisland/faraday/commit/3f1280c69e93297d574e85a2d462d05ebadf1d09 (v2.14.2)
Search for package or bug name: Reporting problems