CVE-2026-25765

Name of the Vulnerable Software and Affected Versions Faraday versions prior to 2.14.1

Description Faraday is an HTTP client library abstraction layer. The build exclusive url() function (located in lib/faraday/connection.rb) uses Ruby's URI#merge to combine a connection's base URL with a user-supplied path. According to RFC 3986, protocol-relative URLs (starting with //) are treated as network-path references that override the host or authority component of the base URL. If an application passes user-controlled input to request methods such as get(), post(), or build url(), an attacker can provide a protocol-relative URL to redirect the request to an arbitrary host, leading to Server-Side Request Forgery (SSRF), which is a technique where an attacker forces a server to make requests to an unintended destination.

Recommendations Update to version 2.14.1. Validate and sanitize user-controlled input before passing it to request methods by rejecting or stripping input that starts with // followed by a non-/ character. Use an allowlist of permitted path prefixes. Prepend ./ to all user-supplied paths before passing them to the library.