CVE-2026-33637 | THREATINT

Description

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object (rather than a String) to Faraday::Connection#build_exclusive_url. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and enables off-host request forgery: a request built from a fixed-base Faraday::Connection can be redirected to an attacker-controlled host, forwarding connection-scoped values such as Authorization headers and default query parameters. This issue has been fixed in version 2.14.3.

PUBLISHED Reserved 2026-03-23 | Published 2026-05-19 | Updated 2026-05-19 | Assigner GitHub_M

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

>= 2.0.0, <= 2.14.2

affected

References

github.com/...araday/security/advisories/GHSA-5rv5-xj5j-3484 exploit

github.com/...araday/security/advisories/GHSA-5rv5-xj5j-3484

github.com/advisories/GHSA-33mh-2634-fwr2

cve.org (CVE-2026-33637)

nvd.nist.gov (CVE-2026-33637)

Download JSON