Faraday is a Ruby HTTP client library that abstracts multiple adapters under a single interface. A defect in its URL building routine allows protocol-relative URIs to override the connection’s host when the target is supplied as a URI object rather than a plain string. The vulnerability is a manifestation of CWE‑918 and enables off-host request forgery: attackers can redirect a connection that has been pre-configured with credentials or query parameters to an arbitrary, attacker-controlled domain, causing those sensitive values to be sent to an unintended host.

The flaw affects all instances of the lostisland Faraday library from version 2.0.0 through 2.14.1. The issue was addressed in commit 2.14.3. Any project that uses Faraday within that version range, especially those that construct requests from externally supplied URI objects, is at risk unless mitigation measures are applied.

EPSS data is not available and the vulnerability is not listed in CISA KEV, so no known exploitation activity has been reported. The CVSS score is not disclosed, yet the missing host scoping control exposes applications to off-host request forgery, where an attacker can force the client to send requests to an arbitrary domain while leaking Authorization headers and default query parameters. Based on the description, the likely attack vector is remote: an adversary that can inject a URI object passed to Faraday::Connection#build_exclusive_url can exploit the flaw, which is common in applications that forward untrusted URLs to the HTTP client.