{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25765", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T18:35:52.358Z", "datePublished": "2026-02-09T20:30:58.774Z", "dateUpdated": "2026-02-10T15:59:26.645Z"}, "containers": {"cna": {"title": "Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2"}, {"name": "https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc", "tags": ["x_refsource_MISC"], "url": "https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc"}, {"name": "https://github.com/lostisland/faraday/releases/tag/v2.14.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/lostisland/faraday/releases/tag/v2.14.1"}], "affected": [{"vendor": "lostisland", "product": "faraday", "versions": [{"version": "< 2.14.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T20:30:58.774Z"}, "descriptions": [{"lang": "en", "value": "Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1."}], "source": {"advisory": "GHSA-33mh-2634-fwr2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:39:44.597673Z", "id": "CVE-2026-25765", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:59:26.645Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25765", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:39:44.597673Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:39:45.460Z"}}], "cna": {"title": "Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url", "source": {"advisory": "GHSA-33mh-2634-fwr2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "lostisland", "product": "faraday", "versions": [{"status": "affected", "version": "< 2.14.1"}]}], "references": [{"url": "https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2", "name": "https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc", "name": "https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/lostisland/faraday/releases/tag/v2.14.1", "name": "https://github.com/lostisland/faraday/releases/tag/v2.14.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T20:30:58.774Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25765", "state": "PUBLISHED", "dateUpdated": "2026-02-10T15:59:26.645Z", "dateReserved": "2026-02-05T18:35:52.358Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T20:30:58.774Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:faraday_project:faraday:*:*:*:*:*:*:*:*", "matchCriteriaId": "5EB2D675-BCBC-47F1-8782-F14A960DF3B1", "versionEndExcluding": "1.10.5", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:faraday_project:faraday:*:*:*:*:*:*:*:*", "matchCriteriaId": "C612B716-C5E1-42C1-93EA-5609AEEBF64A", "versionEndExcluding": "2.14.1", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1."}, {"lang": "es", "value": "Faraday es una capa de abstracci\u00f3n de biblioteca cliente HTTP que proporciona una interfaz com\u00fan sobre muchos adaptadores. Antes de la versi\u00f3n 2.14.1, el m\u00e9todo build_exclusive_url de Faraday (en lib/faraday/connection.rb) utiliza URI#merge de Ruby para combinar la URL base de la conexi\u00f3n con una ruta proporcionada por el usuario. Seg\u00fan la RFC 3986, las URL relativas al protocolo (por ejemplo, //evil.com/path) se tratan como referencias de ruta de red que anulan el componente de host/autoridad de la URL base. Esto significa que si alguna aplicaci\u00f3n pasa entrada controlada por el usuario a los m\u00e9todos get(), post(), build_url() u otros m\u00e9todos de petici\u00f3n de Faraday, un atacante puede proporcionar una URL relativa al protocolo como //attacker.com/endpoint para redirigir la petici\u00f3n a un host arbitrario, lo que permite la falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF). Esta vulnerabilidad se corrige en la versi\u00f3n 2.14.1."}], "id": "CVE-2026-25765", "lastModified": "2026-02-20T21:03:57.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T21:15:49.490", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/lostisland/faraday/releases/tag/v2.14.1"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Faraday: Faraday: Server-Side Request Forgery via protocol-relative URLs", "id": "2438241", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438241"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-1289", "details": ["A flaw was found in Faraday, an HTTP client library. The `build_exclusive_url` method, which combines a base URL with a user-supplied path, incorrectly processes protocol-relative URLs (e.g., //evil.com/path). This allows a remote attacker to supply a specially crafted URL, leading to Server-Side Request Forgery (SSRF). An attacker can exploit this to redirect requests to an arbitrary host, potentially accessing internal resources or bypassing security controls."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-25765", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/cluster-logging-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/cluster-logging-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/eventrouter-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/fluentd-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/log-file-metric-exporter-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/logging-view-plugin-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/vector-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp20/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp21/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp21/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp22/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp22/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp24/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp24/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp25/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp25/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp26/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp26/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/system-rhel7", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/system-rhel8", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/system-rhel9", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/zync-rhel7", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/zync-rhel8", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/zync-rhel9", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-kubernetes-nmstate-handler-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-02-09T20:30:58Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25765\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25765\nhttps://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc\nhttps://github.com/lostisland/faraday/releases/tag/v2.14.1\nhttps://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2"], "statement": "MODERATE: The Faraday HTTP client library, used in Red Hat 3scale API Management Platform and OpenShift Container Platform components, is vulnerable to Server-Side Request Forgery (SSRF). This flaw allows an attacker to redirect requests to arbitrary hosts if user-controlled input is passed to Faraday's request methods, due to incorrect processing of protocol-relative URLs.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.14.1)"}}], "product": "faraday", "vendor": "lostisland"}], "analysis": {"en": {"generated_at": "2026-04-18T12:58:02.183101+00:00", "value": {"mitigation_remediation": ["Upgrade Faraday to version 2.14.1 or later. This patch corrects the URL merging logic to preserve the original host when a protocol\u2011relative URL is supplied.", "Validate or sanitize all user\u2011controlled URLs before passing them to Faraday. Reject or normalize protocol\u2011relative URLs, and implement host whitelisting to restrict outbound destinations.", "Configure network controls such as firewalls or proxy rules to block unsolicited outbound connections to unfamiliar hosts, ensuring only approved endpoints are reachable from the application."], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the Faraday project, provided by lostisland. All releases before version 2.14.1 are susceptible. The fix was delivered in 2.14.1, so any deployment that has not upgraded to 2.14.1 or newer remains at risk.", "description_and_impact": "The flaw lies in the Faraday HTTP client\u2019s build_exclusive_url method, which merges a base URL with a user\u2011supplied path using Ruby\u2019s URI#merge. When a protocol\u2011relative URL (starting with //) is supplied, RFC 3986 dictates that the host component overrides the base URL\u2019s authority. Consequently, an attacker can craft a request such as //attacker.com/endpoint, causing Faraday to redirect outgoing HTTP calls to an arbitrary host. This enables the attacker to access internal resources, exfiltrate data, or pivot laterally from the vulnerable application, representing a Server\u2011Side Request Forgery issue. The CVSS score of 5.8 reflects a moderate severity, as the attack requires the application to forward user input to the Faraday API.", "risk_and_exploitability": "The EPSS score is < 1%, indicating a low exploitation probability at present, and faraday is not listed in the CISA KEV catalog. The most common attack vector is application\u2011level: if software receives untrusted input and forwards it unchecked to Faraday\u2019s get, post, or build_url methods, the attacker controls the request destination. Exploitation does not require privileged credentials but relies on the ability to influence the URL supplied to the client. The presence of CWEs 918 and 1289 underscores the lack of input validation and potential certificate validation deficiencies."}}}}, "created": "2026-02-10T11:35:14.034169+00:00", "updated": "2026-04-18T13:00:08.769228+00:00", "vendors": ["lostisland", "lostisland$PRODUCT$faraday"]}