{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25765", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T18:35:52.358Z", "datePublished": "2026-02-09T20:30:58.774Z", "dateUpdated": "2026-02-10T15:59:26.645Z"}, "containers": {"cna": {"title": "Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2"}, {"name": "https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc", "tags": ["x_refsource_MISC"], "url": "https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc"}, {"name": "https://github.com/lostisland/faraday/releases/tag/v2.14.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/lostisland/faraday/releases/tag/v2.14.1"}], "affected": [{"vendor": "lostisland", "product": "faraday", "versions": [{"version": "< 2.14.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T20:30:58.774Z"}, "descriptions": [{"lang": "en", "value": "Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1."}], "source": {"advisory": "GHSA-33mh-2634-fwr2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:39:44.597673Z", "id": "CVE-2026-25765", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:59:26.645Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25765", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:39:44.597673Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:39:45.460Z"}}], "cna": {"title": "Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url", "source": {"advisory": "GHSA-33mh-2634-fwr2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "lostisland", "product": "faraday", "versions": [{"status": "affected", "version": "< 2.14.1"}]}], "references": [{"url": "https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2", "name": "https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc", "name": "https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/lostisland/faraday/releases/tag/v2.14.1", "name": "https://github.com/lostisland/faraday/releases/tag/v2.14.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T20:30:58.774Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25765", "state": "PUBLISHED", "dateUpdated": "2026-02-10T15:59:26.645Z", "dateReserved": "2026-02-05T18:35:52.358Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T20:30:58.774Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:faraday_project:faraday:*:*:*:*:*:*:*:*", "matchCriteriaId": "5EB2D675-BCBC-47F1-8782-F14A960DF3B1", "versionEndExcluding": "1.10.5", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:faraday_project:faraday:*:*:*:*:*:*:*:*", "matchCriteriaId": "C612B716-C5E1-42C1-93EA-5609AEEBF64A", "versionEndExcluding": "2.14.1", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1."}, {"lang": "es", "value": "Faraday es una capa de abstracci\u00f3n de biblioteca cliente HTTP que proporciona una interfaz com\u00fan sobre muchos adaptadores. Antes de la versi\u00f3n 2.14.1, el m\u00e9todo build_exclusive_url de Faraday (en lib/faraday/connection.rb) utiliza URI#merge de Ruby para combinar la URL base de la conexi\u00f3n con una ruta proporcionada por el usuario. Seg\u00fan la RFC 3986, las URL relativas al protocolo (por ejemplo, //evil.com/path) se tratan como referencias de ruta de red que anulan el componente de host/autoridad de la URL base. Esto significa que si alguna aplicaci\u00f3n pasa entrada controlada por el usuario a los m\u00e9todos get(), post(), build_url() u otros m\u00e9todos de petici\u00f3n de Faraday, un atacante puede proporcionar una URL relativa al protocolo como //attacker.com/endpoint para redirigir la petici\u00f3n a un host arbitrario, lo que permite la falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF). Esta vulnerabilidad se corrige en la versi\u00f3n 2.14.1."}], "id": "CVE-2026-25765", "lastModified": "2026-02-20T21:03:57.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T21:15:49.490", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/lostisland/faraday/releases/tag/v2.14.1"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Faraday: Faraday: Server-Side Request Forgery via protocol-relative URLs", "id": "2438241", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438241"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-1289", "details": ["A flaw was found in Faraday, an HTTP client library. The `build_exclusive_url` method, which combines a base URL with a user-supplied path, incorrectly processes protocol-relative URLs (e.g., //evil.com/path). This allows a remote attacker to supply a specially crafted URL, leading to Server-Side Request Forgery (SSRF). An attacker can exploit this to redirect requests to an arbitrary host, potentially accessing internal resources or bypassing security controls."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-25765", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/cluster-logging-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/cluster-logging-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/eventrouter-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/fluentd-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/log-file-metric-exporter-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/logging-view-plugin-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/vector-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp20/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp21/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp21/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp22/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp22/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp24/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp24/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp25/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp25/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp26/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp26/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/system-rhel7", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/system-rhel8", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/system-rhel9", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/zync-rhel7", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/zync-rhel8", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/zync-rhel9", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-kubernetes-nmstate-handler-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-02-09T20:30:58Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25765\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25765\nhttps://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc\nhttps://github.com/lostisland/faraday/releases/tag/v2.14.1\nhttps://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2"], "statement": "MODERATE: The Faraday HTTP client library, used in Red Hat 3scale API Management Platform and OpenShift Container Platform components, is vulnerable to Server-Side Request Forgery (SSRF). This flaw allows an attacker to redirect requests to arbitrary hosts if user-controlled input is passed to Faraday's request methods, due to incorrect processing of protocol-relative URLs.", "threat_severity": "Moderate"}

{"created": "2026-02-10T11:35:14.034169+00:00", "updated": "2026-02-10T11:35:14.034239+00:00", "vendors": ["lostisland", "lostisland$PRODUCT$faraday"]}