CVE-2026-25765
📋 TL;DR
CVE-2026-25765 is a Server-Side Request Forgery (SSRF) vulnerability in Faraday HTTP client library versions before 2.14.1. Attackers can exploit protocol-relative URLs (e.g., //evil.com/path) in user-supplied input to redirect HTTP requests to arbitrary hosts. Any application using vulnerable Faraday methods with untrusted input is affected.
💻 Affected Systems
- Faraday HTTP client library
📦 What is this software?
Faraday by Faraday Project
Faraday by Faraday Project
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of internal services via SSRF, data exfiltration, internal network reconnaissance, or chaining with other vulnerabilities to achieve remote code execution.
Likely Case
Unauthorized access to internal HTTP services, data leakage from internal APIs, or exploitation of trust relationships between services.
If Mitigated
Limited impact if input validation filters protocol-relative URLs or Faraday is only used with trusted data sources.
🎯 Exploit Status
Exploitation requires user input to reach vulnerable Faraday methods. The vulnerability is straightforward to exploit once the attack vector is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.14.1
Vendor Advisory: https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2
Restart Required: No
Instructions:
1. Update your Gemfile to specify 'faraday', '>= 2.14.1'. 2. Run 'bundle update faraday'. 3. Test your application to ensure compatibility with the updated version.
🔧 Temporary Workarounds
Input validation for protocol-relative URLs
allValidate and reject user input containing protocol-relative URLs (starting with //) before passing to Faraday methods.
# Ruby code example: validate_path = user_input.start_with?('//') ? nil : user_input
🧯 If You Can't Patch
- Implement strict input validation to block protocol-relative URLs (//) in all user-supplied paths.
- Use Faraday only with trusted, hardcoded URLs and avoid passing user input directly to request methods.
🔍 How to Verify
Check if Vulnerable:
Check your Gemfile.lock or run 'bundle show faraday' to see the installed Faraday version. If version is < 2.14.1, you are vulnerable.Check Version:
bundle show faradayVerify Fix Applied:
After updating, verify the Faraday version is >= 2.14.1 using 'bundle show faraday' or checking Gemfile.lock.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests to unexpected domains, especially with protocol-relative URLs in request paths.
Network Indicators:
- HTTP requests from your application servers to external or unexpected internal hosts that don't match normal traffic patterns.
SIEM Query:
source="application_logs" AND (message CONTAINS "//" OR message CONTAINS "faraday" AND status=500)