Server-Side Request Forgery (SSRF) in faraday
CVE-2026-25765
- faraday
Summary
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 1.10.5 and 2.x prior to 2.14.1, Faraday's "build_exclusive_url" method (in lib/faraday/connection.rb) uses Ruby's "URI#merge" to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's "get()", "post()", "build_url()", or other request methods, an attacker can supply a protocol-relative URL like "//attacker.com/endpoint" to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1 and 1.10.5.
- LOW
- NETWORK
- NONE
- CHANGED
- NONE
- NONE
- LOW
- NONE
CWE-918 - Server-Side Request Forgery (SSRF)
Server-side request forgery (SSRF) is a weakness that allows an attacker to send an arbitrary request, making it appear that the request was sent by the server. This request may bypass a firewall that would normally prevent direct access to the URL. The impact of this vulnerability can vary from unauthorized access to files and sensitive information to remote code execution.
References
Advisory Timeline
- Published
