OESA-2026-2802

Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2802
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2026-2802.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2026-2802
Upstream
Published
2026-07-06T06:25:47Z
Modified
2026-07-06T06:45:09.829545553Z
Summary
rubygem-faraday security update
Details

HTTP/REST API client library

Security Fix(es):

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's buildexclusiveurl method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.(CVE-2026-25765)

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. From 1.0.0 until 1.10.6 and 2.14.3, Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nesting depth. A crafted query string causes Faraday to build a deeply nested Ruby Hash structure. The internal dehash routine then recursively walks this attacker-controlled structure without a depth limit. At sufficient depth, Ruby raises an uncaught SystemStackError (stack level too deep), crashing the calling thread or worker. This can lead to denial of service in applications that pass attacker-controlled query strings to Faraday's nested query parsing or URL-building paths. This vulnerability is fixed in 1.10.6 and 2.14.3.(CVE-2026-54297)

Database specific
{
    "severity": "High"
}
References

Affected packages

openEuler:22.03-LTS-SP4 / rubygem-faraday

Package

Name
rubygem-faraday
Purl
pkg:rpm/openEuler/rubygem-faraday&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.0-2.oe2203sp4

Ecosystem specific

{
    "noarch": [
        "rubygem-faraday-1.7.0-2.oe2203sp4.noarch.rpm",
        "rubygem-faraday-doc-1.7.0-2.oe2203sp4.noarch.rpm"
    ],
    "src": [
        "rubygem-faraday-1.7.0-2.oe2203sp4.src.rpm"
    ]
}

Database specific

source
"https://repo.openeuler.org/security/data/osv/OESA-2026-2802.json"