CVE-2026-25765

MEDIUM EPSS 27.0%
Published Feb 9, 20264mo ago · Modified Jun 17, 20262w ago
5.8 CVSS 3.1
Medium
Find Similar
Published Feb 9, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.

CVSS Details

Base Score
5.8
Exploitability
3.9
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
27.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-918 Server-Side Request Forgery (SSRF) Validation

Affected Products 2

VendorProductVersionRange
faraday_projectfaraday*≥1.0.0  –  <1.10.5
faraday_projectfaraday*≥2.0.0  –  <2.14.1

References 3

  • github.com https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc
    Patch
  • github.com https://github.com/lostisland/faraday/releases/tag/v2.14.1
    ProductRelease Notes
  • github.com https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2
    MitigationVendor Advisory

Remediation

  • github.com https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc
    Patch