Vulnerability: Faraday versions below 2.14.1 are affected by SSRF in URL handling (GHSA-33mh-2634-fwr2).

Current Status: MG is currently pinned to Faraday 1.x through the event_source dependency chain.

Mitigation: This CVE is temporarily added to .bundler-audit.yml as we are upgrading Rails 8 in parallel. The long-term fix is to upgrade event_source to Faraday >= 2.14.1.

Actions Taken:

1. Documented vulnerability and mitigation plan in this file.
2. Added CVE-2026-25765 to bundler-audit ignore list as a temporary exception.
3. Tracked follow-up to remove the exception after Faraday 2 upgrade.

Ongoing Measures:

1. Keep this exception time boxed for 90 days as Rails 8 upgrade is coming soon.
2. Remove the ignore entry after dependency upgrade.

Vulnerability:

Source: https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54133

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Mitigation:

No mitigation required as we are not vulnerable.

We do not dynamically set our CSP values using user input.

This specific security advisory has been added to the bundler audit ignore file.