CVE-2026-33637 Overview
CVE-2026-33637 affects Faraday, a Ruby HTTP client library that abstracts multiple adapter backends behind a common interface. Versions 2.0.0 through 2.14.1 permit a protocol-relative host override when callers pass a URI object to Faraday::Connection#build_exclusive_url. The flaw bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and enables off-host request forgery [CWE-918]. Attackers can redirect requests from a fixed-base Faraday::Connection to an attacker-controlled host, leaking connection-scoped values such as Authorization headers and default query parameters. The maintainers released a patch in Faraday version 2.14.3.
Critical Impact
A request built from a trusted base connection can be coerced to a hostile host, forwarding bearer tokens, API keys, and default query parameters to an attacker.
Affected Products
- Faraday Ruby gem versions 2.0.0 through 2.14.1
- Applications calling Faraday::Connection#build_exclusive_url with a URI argument
- Downstream Ruby services that build request URLs from untrusted input
Discovery Timeline
- 2026-05-19 - CVE-2026-33637 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-33637
Vulnerability Analysis
Faraday exposes Faraday::Connection#build_exclusive_url to merge a request target with the connection's base URL. The earlier advisory GHSA-33mh-2634-fwr2 addressed protocol-relative inputs of the form //attacker.tld/path when supplied as a String. That patch normalized String inputs but did not apply the same normalization when the request target arrived as a URI object. An attacker who controls the path component handed to a Faraday request can therefore submit a URI whose host field overrides the connection's configured host. This converts what callers expect to be a same-host request into a Server-Side Request Forgery against any reachable host [CWE-918].
Root Cause
The root cause is inconsistent input normalization between String and URI code paths inside build_exclusive_url. The String path strips or rejects protocol-relative authorities, while the URI path trusts the host attribute of the supplied object. Connections built with Faraday.new(url: ...) therefore lose their host immutability guarantee when the per-request target is a URI.
Attack Vector
An attacker who can influence the URL passed to a Faraday request, for example through a user-supplied identifier, callback URL, or webhook target, supplies a URI whose host points to attacker-controlled infrastructure. Faraday then issues the outbound HTTP request to the attacker's host while still attaching connection-level Authorization headers, cookies, and default query parameters. The attacker receives the credentials and can replay them against the legitimate API. The vulnerability is reachable over the network without authentication or user interaction.
The vulnerability manifests in the URL composition logic of build_exclusive_url. See the Faraday GitHub Security Advisory GHSA-5rv5-xj5j-3484 for technical details and the prior GHSA-33mh-2634-fwr2 advisory for context on the bypassed fix.
Detection Methods for CVE-2026-33637
Indicators of Compromise
- Outbound HTTPS requests from application hosts to unexpected external domains shortly after API calls that accept user-supplied URL or identifier parameters.
- Application logs showing Faraday requests whose final resolved host differs from the configured connection base URL.
- Authentication providers reporting use of bearer tokens or API keys from unfamiliar source IPs.
Detection Strategies
- Inventory Ruby applications and their Gemfile.lock entries to flag any faraday version between 2.0.0 and 2.14.1.
- Add static analysis rules to detect calls that pass externally derived data into Faraday::Connection#get, #post, or build_exclusive_url as URI objects.
- Inspect egress proxy or NetFlow logs for connections from application tiers to hosts outside the documented API allowlist.
Monitoring Recommendations
- Enforce egress allowlisting for application services and alert on first-seen destination domains.
- Capture and correlate outbound HTTP request metadata, including final URL and Authorization header presence, in a centralized log platform.
- Rotate and monitor API credentials that may have been forwarded to a third party while patching is in progress.
How to Mitigate CVE-2026-33637
Immediate Actions Required
- Upgrade the faraday gem to version 2.14.3 or later across all Ruby services and rebuild deployment artifacts.
- Audit code paths that pass user-controlled values into Faraday request URLs and convert URI inputs to validated Strings.
- Rotate any Authorization headers, API keys, or session tokens that vulnerable services may have leaked.
Patch Information
The Faraday maintainers fixed the issue in version 2.14.3 by normalizing host handling for URI inputs to build_exclusive_url. Details are documented in the Faraday GitHub Security Advisory GHSA-5rv5-xj5j-3484.
Workarounds
- Validate every request target against an allowlist of expected hosts before invoking Faraday.
- Strip the host and scheme from any caller-supplied URI and pass only the path and query components.
- Restrict outbound network egress from application servers to the specific hosts required by the integration.
# Update Faraday in your Gemfile and refresh the lockfile
bundle update faraday --conservative
bundle list | grep faraday
# Expected: faraday (2.14.3) or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
