Source: ruby-faraday Version: 2.14.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for ruby-faraday. CVE-2026-33637[0]: | Faraday is an HTTP client library abstraction layer that provides a | common interface over many adapters. Versions 2.0.0 through 2.14.1 | still allow protocol-relative host override when the request target | is passed as a URI object (rather than a String) to | Faraday::Connection#build_exclusive_url. This bypasses the February | 2026 fix for GHSA-33mh-2634-fwr2 and enables off-host request | forgery: a request built from a fixed-base Faraday::Connection can | be redirected to an attacker-controlled host, forwarding connection- | scoped values such as Authorization headers and default query | parameters. This issue has been fixed in version 2.14.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33637 https://www.cve.org/CVERecord?id=CVE-2026-33637 [1] https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484 Regards, Salvatore
