CVE-2026-33637

Name of the Vulnerable Software and Affected Versions Faraday versions 2.0.0 through 2.14.1

Description Faraday is an HTTP client library abstraction layer. A flaw exists where protocol-relative host override is possible when the request target is passed as a URI object instead of a String to the Faraday::Connection#build exclusive url function. This allows off-host request forgery, where a request intended for a fixed-base connection can be redirected to an attacker-controlled host. During this process, connection-scoped values, such as Authorization headers and default query parameters, are forwarded to the malicious host. Other affected functions include Faraday::Connection#run request, Faraday::Request#url, and Faraday::Request#to env.

Recommendations Update to version 2.14.3. As a temporary workaround, avoid passing URI objects to Faraday::Connection#build exclusive url and use String targets instead.