18 matches found
CVE-2026-33637
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object rather than a String to Faraday::Connectionbuildexclusiveurl. This...
Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping
Summary Faraday::Connectionbuildexclusiveurl still allows protocol-relative host override when the request target is provided as a URI object instead of a String. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and can redirect a request built from a fixed-base Faraday::Connection to ...
GHSA-5RV5-XJ5J-3484 Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping
Summary Faraday::Connectionbuildexclusiveurl still allows protocol-relative host override when the request target is provided as a URI object instead of a String. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and can redirect a request built from a fixed-base Faraday::Connection to ...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the buildexclusiveurl function. An attacker can redirect requests to an attacker-controlled host while preserving sensitive connection-scoped headers such as Authorization by supplying a...
SUSE CVE-2026-25765
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986,...
CVE-2026-25765
A flaw was found in Faraday, an HTTP client library. The buildexclusiveurl method, which combines a base URL with a user-supplied path, incorrectly processes protocol-relative URLs e.g., //evil.com/path. This allows a remote attacker to supply a specially crafted URL, leading to Server-Side Reque...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the buildexclusiveurl function in the connection.rb file. An attacker can cause requests to be sent to arbitrary hosts by supplying a protocol-relative URL as input. Workaround This vulnerability ca...
AZL-77639 CVE-2026-25765 affecting package rubygem-faraday 2.5.2-1
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986,...
AZL-77631 CVE-2026-25765 affecting package rubygem-faraday 2.7.10-1
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986,...
CVE-2026-25765
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986,...
GHSA-33MH-2634-FWR2 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Impact Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs e.g. //evil.com/path are treated as network-path references that override the base URL's host/authority...
Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Impact Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs e.g. //evil.com/path are treated as network-path references that override the base URL's host/authority...
CVE-2026-25765 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986,...
CVE-2026-25765
CVE-2026-25765 affects Faraday (an HTTP client abstraction). The vulnerability arises in build_exclusive_url (lib/faraday/connection.rb) which uses URI#merge; protocol-relative URLs (e.g., //evil.com/…) override the base URL’s host, enabling potential SSRF if user-controlled input is passed to ge...
CVE-2026-25765 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986,...
CVE-2026-25765 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986,...
CVE-2026-25765
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986,...
Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Impact Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs e.g. //evil.com/path are treated as network-path references that override the base URL's host/authority...