CVE-2026-33637 NONE

CVE-2026-33637: Faraday: Protocol-relative URI objects still bypass host scoping (possible incomplete fix for GHSA-33mh-2634-fwr2)

Vendor Lostisland

Product faraday

Weakness CWE-918 · SSRF

Published May 19, 2026

Last update May 19, 2026

View on NVD All CVEs

CVSS base score

0.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

What the vulnerability does

01Description

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object (rather than a String) to Faraday::Connection#build_exclusive_url. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and enables off-host request forgery: a request built from a fixed-base Faraday::Connection can be redirected to an attacker-controlled host, forwarding connection-scoped values such as Authorization headers and default query parameters. This issue has been fixed in version 2.14.3.

Key dates

02Disclosure timeline

May 19, 2026 CVE published

May 19, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-33637

Related vulnerabilities

CVE-2026-33637: Faraday: Protocol-relative URI objects still bypass host scoping (possible incomplete fix for GHSA-33mh-2634-fwr2)

01Description

02Disclosure timeline

03References

04Related CVE