CVE-2026-25765
Server-Side Request Forgery (SSRF) vulnerability in faraday (RubyGems)
What is CVE-2026-25765 About?
This Server-Side Request Forgery (SSRF) vulnerability in Faraday's `build_exclusive_url` method allows attackers to redirect outbound requests to arbitrary hosts. This occurs because `URI#merge` incorrectly handles protocol-relative URLs, bypassing intended input sanitation. The vulnerability is easy to exploit by providing a specifically crafted URL in user-controlled input, leading to potential information disclosure or access to internal resources.
Affected Software
Technical Details
Faraday's build_exclusive_url method utilizes Ruby's URI#merge to combine a base URL with a user-supplied path. According to RFC 3986, protocol-relative URLs (e.g., //evil.com/path) act as network-path references that can override the host and authority component of the base URL. If user-controlled input is passed to Faraday's request methods like get() or post(), an attacker can supply a protocol-relative URL such as //attacker.com/endpoint, causing Faraday to send the request to the attacker's arbitrary host instead of the intended internal API. A ./ prefix guard, introduced in a previous patch, is bypassed by these protocol-relative URLs, making the vulnerability exploitable.
What is the Impact of CVE-2026-25765?
Successful exploitation may allow attackers to redirect HTTP requests intended for internal services to arbitrary external hosts, enabling Server-Side Request Forgery.
What is the Exploitability of CVE-2026-25765?
Exploitation requires the application to pass user-controlled input directly to Faraday's get(), post(), build_url(), or other request methods; this is a common development pattern. No authentication is required for the attacker if the input field is public-facing. The attack is remote, as the attacker simply provides a malicious URL string. The complexity is low, as it relies on a standard URL parsing behavior. The risk factors include inadequate input validation and sanitation on any user-controlled input before it reaches Faraday's request methods.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-25765?
Available Upgrade Options
- faraday
- <2.14.1 → Upgrade to 2.14.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.rfc-editor.org/rfc/rfc3986#section-5.2.2
- https://github.com/lostisland/faraday/pull/1569
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-25765.yml
- https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2
- https://github.com/lostisland/faraday/releases/tag/v2.14.1
- https://github.com/lostisland/faraday
- https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc
- https://github.com/lostisland/faraday/releases/tag/v2.14.1
- https://nvd.nist.gov/vuln/detail/CVE-2026-25765
- https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2
What are Similar Vulnerabilities to CVE-2026-25765?
Similar Vulnerabilities: CVE-2026-26019 , CVE-2026-26013 , CVE-2023-45802 , CVE-2022-26134 , CVE-2021-44228
