Vulnerability: Faraday versions below 2.14.1 are affected by SSRF in URL handling (GHSA-33mh-2634-fwr2).
Current Status: EDI GW is currently pinned to Faraday 1.x through the event_source dependency chain.
Mitigation: This CVE is temporarily added to .bundler-audit.yml as we are upgrading Rails 8 in parallel. The long-term fix is to upgrade event_source to Faraday >= 2.14.1.
Actions Taken:
- Documented vulnerability and mitigation plan in this file.
- Added
CVE-2026-25765to bundler-audit ignore list as a temporary exception. - Tracked follow-up to remove the exception after Faraday 2 upgrade.
Ongoing Measures:
- Keep this exception time boxed for 90 days as Rails 8 upgrade is coming soon.
- Remove the ignore entry after dependency upgrade.
Vulnerability: Support for Ruby 3.2.2 ends on 2026-03-31
Current Status: EDI GW is currently pinned to Ruby version 3.2.2
Mitigation: This warning is temporariliy added to brakeman.ignore as we have a planned Ruby upgrade. The long-term fix is to upgrade Ruby to 3.2.10.
Actions Taken:
- Documented vulnerability and mitigation plan in this file.
- Added warning to brakeman.ignore list as a temporary exception.
Ongoing Measures:
- Created a reminder to periodicially search for any new vulnerabilities with this Ruby verison
- Remove the ignore entry after dependency upgrade.