CVE-2026-25765 (Medium) detected in faraday-2.14.0.gem #684
Description
CVE-2026-25765 - Medium Severity Vulnerability
Vulnerable Library - faraday-2.14.0.gem
Library home page: https://rubygems.org/gems/faraday-2.14.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /vendor/cache/faraday-2.14.0.gem
Dependency Hierarchy:
- googleauth-1.15.1.gem (Root Library)
- ❌ faraday-2.14.0.gem (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
Publish Date: 2026-02-09
URL: CVE-2026-25765
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-33mh-2634-fwr2
Release Date: 2026-02-09
Fix Resolution: https://github.com/lostisland/faraday.git - v2.14.1,faraday - 2.14.1
Step up your Open Source Security Game with Mend here