{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T09:07:57.194","vulnerabilities":[{"cve":{"id":"CVE-2026-25765","sourceIdentifier":"security-advisories@github.com","published":"2026-02-09T21:15:49.490","lastModified":"2026-02-20T21:03:57.723","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1."},{"lang":"es","value":"Faraday es una capa de abstracción de biblioteca cliente HTTP que proporciona una interfaz común sobre muchos adaptadores. Antes de la versión 2.14.1, el método build_exclusive_url de Faraday (en lib/faraday/connection.rb) utiliza URI#merge de Ruby para combinar la URL base de la conexión con una ruta proporcionada por el usuario. Según la RFC 3986, las URL relativas al protocolo (por ejemplo, //evil.com/path) se tratan como referencias de ruta de red que anulan el componente de host/autoridad de la URL base. Esto significa que si alguna aplicación pasa entrada controlada por el usuario a los métodos get(), post(), build_url() u otros métodos de petición de Faraday, un atacante puede proporcionar una URL relativa al protocolo como //attacker.com/endpoint para redirigir la petición a un host arbitrario, lo que permite la falsificación de petición del lado del servidor (SSRF). Esta vulnerabilidad se corrige en la versión 2.14.1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N","baseScore":5.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:faraday_project:faraday:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0.0","versionEndExcluding":"1.10.5","matchCriteriaId":"5EB2D675-BCBC-47F1-8782-F14A960DF3B1"},{"vulnerable":true,"criteria":"cpe:2.3:a:faraday_project:faraday:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.14.1","matchCriteriaId":"C612B716-C5E1-42C1-93EA-5609AEEBF64A"}]}]}],"references":[{"url":"https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/lostisland/faraday/releases/tag/v2.14.1","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}}]}