Description
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
Published: 2026-02-09
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

The flaw lies in the Faraday HTTP client’s build_exclusive_url method, which merges a base URL with a user‑supplied path using Ruby’s URI#merge. When a protocol‑relative URL (starting with //) is supplied, RFC 3986 dictates that the host component overrides the base URL’s authority. Consequently, an attacker can craft a request such as //attacker.com/endpoint, causing Faraday to redirect outgoing HTTP calls to an arbitrary host. This enables the attacker to access internal resources, exfiltrate data, or pivot laterally from the vulnerable application, representing a Server‑Side Request Forgery issue. The CVSS score of 5.8 reflects a moderate severity, as the attack requires the application to forward user input to the Faraday API.

Affected Systems

This vulnerability affects the Faraday project, provided by lostisland. All releases before version 2.14.1 are susceptible. The fix was delivered in 2.14.1, so any deployment that has not upgraded to 2.14.1 or newer remains at risk.

Risk and Exploitability

The EPSS score is < 1%, indicating a low exploitation probability at present, and faraday is not listed in the CISA KEV catalog. The most common attack vector is application‑level: if software receives untrusted input and forwards it unchecked to Faraday’s get, post, or build_url methods, the attacker controls the request destination. Exploitation does not require privileged credentials but relies on the ability to influence the URL supplied to the client. The presence of CWEs 918 and 1289 underscores the lack of input validation and potential certificate validation deficiencies.

Generated by OpenCVE AI on April 18, 2026 at 12:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Faraday to version 2.14.1 or later. This patch corrects the URL merging logic to preserve the original host when a protocol‑relative URL is supplied.
  • Validate or sanitize all user‑controlled URLs before passing them to Faraday. Reject or normalize protocol‑relative URLs, and implement host whitelisting to restrict outbound destinations.
  • Configure network controls such as firewalls or proxy rules to block unsolicited outbound connections to unfamiliar hosts, ensuring only approved endpoints are reachable from the application.

Generated by OpenCVE AI on April 18, 2026 at 12:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-33mh-2634-fwr2 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
History

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Faraday Project
Faraday Project faraday
CPEs cpe:2.3:a:faraday_project:faraday:*:*:*:*:*:*:*:*
Vendors & Products Faraday Project
Faraday Project faraday

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Lostisland
Lostisland faraday
Vendors & Products Lostisland
Lostisland faraday

Tue, 10 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1289
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 09 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Description Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
Title Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Faraday Project Faraday
Lostisland Faraday
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T15:59:26.645Z

Reserved: 2026-02-05T18:35:52.358Z

Link: CVE-2026-25765

cve-icon Vulnrichment

Updated: 2026-02-10T15:39:45.460Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T21:15:49.490

Modified: 2026-02-20T21:03:57.723

Link: CVE-2026-25765

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-09T20:30:58Z

Links: CVE-2026-25765 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses