CVE-2026-25765 is a Server-Side Request Forgery (SSRF) vulnerability found in the lostisland Faraday HTTP client library, specifically in versions prior to 2.14.1. Faraday provides an abstraction layer over various HTTP adapters in Ruby applications. The vulnerability exists in the build_exclusive_url method located in lib/faraday/connection.rb, which uses Ruby's URI#merge method to combine a base URL with a user-supplied path. According to RFC 3986, protocol-relative URLs (e.g., //evil.com/path) are treated as network-path references that override the host and authority components of the base URL. This behavior allows an attacker to supply a protocol-relative URL as user input to Faraday's get(), post(), build_url(), or other request methods, causing the HTTP request to be redirected to an arbitrary external host controlled by the attacker. This SSRF flaw can be exploited without authentication or user interaction, enabling attackers to make server-side requests to unintended destinations, potentially exposing internal services or sensitive data. The vulnerability has a CVSS 3.1 score of 5.8, indicating medium severity, with an attack vector of network, low attack complexity, no privileges required, no user interaction, and a scope change. The flaw is fixed in Faraday version 2.14.1, where the handling of protocol-relative URLs was corrected to prevent overriding the base URL's host. No known exploits are reported in the wild as of the publication date. Organizations using Faraday versions below 2.14.1 in environments where user input is passed to HTTP request methods are vulnerable and should prioritize patching. The vulnerability is classified under CWE-918 (Server-Side Request Forgery).

For European organizations, this SSRF vulnerability poses a risk primarily to web applications and services that utilize the Faraday HTTP client library versions prior to 2.14.1 and accept user-controlled input for HTTP requests. Exploitation could allow attackers to make arbitrary HTTP requests from the vulnerable server to internal or external systems, potentially bypassing network access controls. This may lead to unauthorized access to internal services, data exfiltration, or reconnaissance of internal network infrastructure. While the vulnerability does not directly allow data modification or denial of service, the ability to pivot within internal networks or access sensitive endpoints can have significant security implications. Organizations in sectors with sensitive data or critical infrastructure, such as finance, healthcare, and government, may face increased risks. The medium severity rating reflects the moderate impact and ease of exploitation without authentication. Given the widespread use of Ruby and Faraday in web development, European organizations using these technologies should assess their exposure and remediate promptly to prevent potential SSRF exploitation.

1. Upgrade all instances of the Faraday library to version 2.14.1 or later, where the vulnerability is fixed. 2. Implement strict input validation and sanitization on any user-supplied URLs or paths before passing them to Faraday request methods to prevent protocol-relative URLs or other malicious inputs. 3. Employ allowlisting of domains or IP addresses for outbound HTTP requests initiated by the application to restrict requests to trusted destinations only. 4. Use network segmentation and firewall rules to limit the vulnerable application's ability to reach sensitive internal resources or external untrusted networks. 5. Monitor application logs and network traffic for unusual outbound requests that may indicate attempted exploitation. 6. Conduct code reviews and security testing focusing on HTTP client usage patterns to identify and remediate similar SSRF risks. 7. Educate development teams about the risks of SSRF and secure handling of user input in HTTP requests. These measures combined will reduce the risk of exploitation beyond simply patching the library.