diff --git a/gems/faraday/CVE-2026-33637.yml b/gems/faraday/CVE-2026-33637.yml new file mode 100644 index 0000000000..b0bd0c2a17 --- /dev/null +++ b/gems/faraday/CVE-2026-33637.yml @@ -0,0 +1,47 @@ +--- +gem: faraday +cve: 2026-33637 +ghsa: 5rv5-xj5j-3484 +url: https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484 +title: Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2 - + protocol-relative URI objects still bypass host scoping +date: 2026-05-18 +description: | + ## Summary + + `Faraday::Connection#build_exclusive_url` still allows protocol-relative + host override when the request target is provided as a `URI` object + instead of a `String`. This bypasses the February 2026 fix for + `GHSA-33mh-2634-fwr2` and can redirect a request built from a fixed-base + `Faraday::Connection` to an attacker-controlled host while preserving + connection-scoped headers such as `Authorization`. + + ## Supporting Materials + + - Existing advisory for the original string-based issue: GHSA-33mh-2634-fwr2 + - Existing CVE for the original string-based issue: CVE-2026-25765 + - Existing regression tests for the string-only fix: + - spec/faraday/connection_spec.rb:314-345 + - Existing test proving supported URI request input: + - spec/faraday/request_spec.rb:26-31 + + ## Impact + + The direct consequence is off-host request forgery from code paths + that believe they are constrained to a fixed base URL. If the + connection carries default headers or query parameters, those + values are forwarded to the attacker-selected host. +cvss_v3: 0.0 +unaffected_versions: + - "< 2.0.0" +patched_versions: + - ">= 2.14.2" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2026-33637 + - https://github.com/lostisland/faraday/releases/tag/v2.14.2 + - https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484 + - https://github.com/advisories/GHSA-33mh-2634-fwr2 + - https://github.com/advisories/GHSA-5rv5-xj5j-3484 +notes: | + - ZERO CVSS value in GHSA and NVD