CVE-2026-25765 Overview
CVE-2026-25765 is a Server-Side Request Forgery (SSRF) vulnerability in Faraday, a popular HTTP client library abstraction layer for Ruby that provides a common interface over many adapters. The vulnerability exists in versions prior to 2.14.1 and stems from improper handling of protocol-relative URLs in the build_exclusive_url method located in lib/faraday/connection.rb.
The core issue lies in how Faraday uses Ruby's URI#merge method to combine a connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g., //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This behavior can be exploited by attackers to redirect HTTP requests to arbitrary hosts when user-controlled input is passed to Faraday's request methods.
Critical Impact
Applications using Faraday that pass user-controlled input to request methods (get(), post(), build_url(), etc.) are vulnerable to SSRF attacks, potentially allowing attackers to access internal services, exfiltrate data, or pivot to other systems within the network.
Affected Products
- Faraday HTTP Client Library versions prior to 2.14.1
- Ruby applications utilizing vulnerable Faraday versions with user-controlled URL paths
- Web services and APIs built with Faraday that accept external URL inputs
Discovery Timeline
- 2026-02-09 - CVE-2026-25765 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-25765
Vulnerability Analysis
This SSRF vulnerability (CWE-918) occurs due to the way Faraday's URL building mechanism processes protocol-relative URLs. When an application constructs HTTP requests using Faraday, it typically establishes a base URL for a connection and then appends user-specified paths for individual requests. The build_exclusive_url method uses Ruby's built-in URI#merge functionality to combine these components.
The vulnerability becomes exploitable when user input flows into request methods without proper validation. An attacker can supply a protocol-relative URL such as //attacker.com/endpoint that, according to RFC 3986 URI resolution rules, will override the host component of the base URL while preserving the scheme. This effectively redirects the intended request to an attacker-controlled server.
The impact of this vulnerability includes unauthorized access to internal network resources, potential data exfiltration through redirected requests, and the ability to scan internal services from the perspective of the vulnerable application server.
Root Cause
The root cause is the use of URI#merge in the build_exclusive_url method without proper validation of the user-supplied path parameter. RFC 3986 defines protocol-relative URLs (//host/path) as network-path references that replace the authority component of the base URI. Faraday did not account for this behavior, trusting that paths would be relative and not contain host information.
The fix implemented in version 2.14.1 adds validation to detect and properly handle protocol-relative URLs, preventing the host override behavior that enables SSRF attacks.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker exploits this vulnerability by providing a malicious protocol-relative URL (e.g., //attacker.com/api/endpoint) as input to any application endpoint that uses this input in Faraday request methods.
For example, if an application allows users to specify an API endpoint path, an attacker could submit //internal-service.local/admin instead of a legitimate path like /api/users. The Faraday client would then make the request to internal-service.local instead of the intended API server, potentially exposing internal services to the attacker.
The vulnerability mechanism involves the URL merging behavior in Faraday's connection handling. When a protocol-relative URL is passed to request methods, the URI#merge operation preserves the original scheme but replaces the host with the attacker-supplied domain. See the GitHub Security Advisory for complete technical details.
Detection Methods for CVE-2026-25765
Indicators of Compromise
- Outbound HTTP/HTTPS requests to unexpected external domains from application servers
- Network traffic patterns showing requests to internal IP ranges (e.g., 10.x.x.x, 192.168.x.x, 172.16.x.x) originating from web application processes
- Log entries containing URLs with double-slash prefix patterns (//) in request paths
- Unusual DNS resolution requests from application servers for internal hostnames
Detection Strategies
- Monitor application logs for URL patterns containing protocol-relative references (//domain.com/path)
- Implement network egress monitoring to detect unexpected outbound connections from application servers
- Use Web Application Firewalls (WAF) to detect and block requests containing protocol-relative URL patterns in user input
- Deploy dependency scanning tools to identify vulnerable Faraday versions in your codebase
Monitoring Recommendations
- Enable detailed logging for all outbound HTTP requests made by application services
- Configure network segmentation alerts for unexpected internal service access patterns
- Implement Software Composition Analysis (SCA) to track Faraday library versions across all projects
- Set up alerts for DNS queries to internal domain names from DMZ or public-facing application servers
How to Mitigate CVE-2026-25765
Immediate Actions Required
- Upgrade Faraday to version 2.14.1 or later immediately
- Audit all code paths where user input is passed to Faraday request methods (get(), post(), put(), delete(), build_url())
- Implement input validation to reject URLs containing protocol-relative patterns (//)
- Review network egress rules to restrict outbound connections from application servers
Patch Information
The vulnerability is fixed in Faraday version 2.14.1. The patch addresses the unsafe URL merging behavior by properly validating and sanitizing user-supplied paths before combining them with the base URL.
- Fixed Version:2.14.1
- Patch Commit:a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc
- Release Notes:Faraday v2.14.1
- Security Advisory:GHSA-33mh-2634-fwr2
Workarounds
- Implement strict input validation to reject any user-supplied paths starting with //
- Use allowlists for permitted URL paths rather than accepting arbitrary user input
- Deploy network-level controls to restrict outbound connections to known-good destinations
- Consider implementing a URL proxy service that validates and sanitizes all outbound request destinations
# Update Faraday to the fixed version using Bundler
bundle update faraday --conservative
# Or specify the minimum safe version in your Gemfile
# gem 'faraday', '>= 2.14.1'
# Verify the installed version
bundle show faraday
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
