Update dependency faraday to v2.14.2 [SECURITY]#200
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
ec53950 to
30111cb
Compare
e6a3612 to
285c570
Compare
285c570 to
fee068a
Compare
fee068a to
c2d7174
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.13.3→2.14.2Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
CVE-2026-25765 / GHSA-33mh-2634-fwr2
More information
Details
Impact
Faraday's
build_exclusive_urlmethod (inlib/faraday/connection.rb) uses Ruby'sURI#mergeto combine the connection's base URL with a user-supplied path. Per RFC 3986,protocol-relative URLs (e.g.
//evil.com/path) are treated as network-path referencesthat override the base URL's host/authority component.
This means that if any application passes user-controlled input to Faraday's
get(),post(),build_url(), or other request methods, an attacker can supply aprotocol-relative URL like
//attacker.com/endpointto redirect the request to anarbitrary host, enabling Server-Side Request Forgery (SSRF).
The
./prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with/, so protocol-relative URLs bypass it entirely.Example:
Patches
Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.
Workarounds
NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.
Applications should validate and sanitize any user-controlled input before passing it to
Faraday request methods. Specifically:
Example validation:
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping
CVE-2026-33637 / GHSA-5rv5-xj5j-3484
More information
Details
Summary
Faraday::Connection#build_exclusive_urlstill allows protocol-relative host override when the request target is provided as aURIobject instead of aString. This bypasses the February 2026 fix forGHSA-33mh-2634-fwr2and can redirect a request built from a fixed-baseFaraday::Connectionto an attacker-controlled host while preserving connection-scoped headers such asAuthorization.Affected Component
lib/faraday/connection.rblib/faraday/request.rbspec/faraday/connection_spec.rbspec/faraday/request_spec.rbFaraday::Connection#build_exclusive_urlFaraday::Connection#run_requestFaraday::Request#urlFaraday::Request#to_envFaraday 2.14.1a01039c948d3e9e41e03d152aed7244f0fb4d5caAttacker Profile
URI.parse(...)and passes toconn.get(...),[conn.post](http://conn.post/)(...), orreq.url(...)URI("//evil.example/pwn")Steps to Reproduce
lib/.URIobject toreq.url.Authorizationheader remains attached to the off-host request.Verification Evidence
2.14.1,faraday-net_http, local WEBrick listener on127.0.0.1:4567, HEADa01039c948d3e9e41e03d152aed7244f0fb4d5ca0Additional External Confirmation
The issue was also independently reproduced against a public HTTP collector on Faraday
2.14.1using the defaultnet_httpadapter:This external confirmation shows the request is not only misbuilt in memory, but is actually dispatched off-host by a real adapter under normal usage.
Supporting Materials
GHSA-33mh-2634-fwr2CVE-2026-25765spec/faraday/connection_spec.rb:314-345URIrequest input:spec/faraday/request_spec.rb:26-31Impact
The direct consequence is off-host request forgery from code paths that believe they are constrained to a fixed base URL. If the
connection carries default headers or query parameters, those values are forwarded to the attacker-selected host.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
lostisland/faraday (faraday)
v2.14.2Compare Source
Security Note
This release contains a security fix, we recommend all users to upgrade as soon as possible.
A Security Advisory with more details will be posted shortly.
What's Changed
New Contributors
Full Changelog: lostisland/faraday@v2.14.1...v2.14.2
v2.14.1Compare Source
Security Note
This release contains a security fix, we recommend all users to upgrade as soon as possible.
A Security Advisory with more details will be posted shortly.
What's Changed
New Contributors
Full Changelog: lostisland/faraday@v2.14.0...v2.14.1
v2.14.0Compare Source
What's Changed
New features ✨
UnprocessableContentnaming for 422 by @tylerhunt in #1638Fixes 🐞
Response#to_hashwhen response not finished yet by @yykamei in #1639Misc/Docs 📄
filter_mapby @olleolleolle in #1637actions/checkoutfrom v4 to v5 by @dependabot[bot] in #1636New Contributors
Full Changelog: lostisland/faraday@v2.13.4...v2.14.0
v2.13.4Compare Source
What's Changed
Full Changelog: lostisland/faraday@v2.13.3...v2.13.4
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.