CVE-2026-25765: Faraday SSRF: When a Double Slash Becomes a Double Agent

# security# cve# cybersecurity
CVE-2026-25765: Faraday SSRF: When a Double Slash Becomes a Double AgentCVE Reports

Faraday SSRF: When a Double Slash Becomes a Double Agent Vulnerability ID:...

Faraday SSRF: When a Double Slash Becomes a Double Agent

Vulnerability ID: CVE-2026-25765
CVSS Score: 5.8
Published: 2026-02-09

A high-severity Server-Side Request Forgery (SSRF) vulnerability in the popular Ruby 'faraday' gem allows attackers to redirect HTTP requests to arbitrary hosts using protocol-relative URLs. By supplying a path starting with double slashes (//), an attacker can bypass path sanitization logic, causing the library to treat the input as a new network authority rather than a relative path.

TL;DR

Faraday < 2.14.1 fails to sanitize protocol-relative URLs (e.g., '//attacker.com'). This allows attackers to bypass the intended base URL and force the application to send requests (and potentially sensitive headers) to an external server.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-918 (Server-Side Request Forgery)
  • CVSS v3.1: 5.8 (Medium)
  • Attack Vector: Network (Remote)
  • Privileges Required: None
  • Impact: Confidentiality (Header Leakage)
  • Exploit Status: PoC Available

Affected Systems

  • Ruby on Rails applications using Faraday
  • Ruby microservices
  • Any Ruby application proxying requests via Faraday
  • faraday: < 2.14.1 (Fixed in: 2.14.1)

Code Analysis

Commit: a6d3a3a

Fix: ensure relative url with double slash is parsed correctly

@@ -481,7 +481,8 @@
       end
-      url = "./#{url}" if url.respond_to?(:start_with?) && !url.start_with?('http://', 'https://', '/', './', '../')
+      url = "./#{url}" if url.respond_to?(:start_with?) &&
+                          (!url.start_with?('http://', 'https://', '/', './', '../') || url.start_with?('//'))
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade Faraday gem to version >= 2.14.1
  • Implement strict input validation on all user-supplied paths
  • Avoid passing raw user input to conn.get() or conn.post() methods
  • Monitor outbound traffic for unexpected domains

Remediation Steps:

  1. Check current version: bundle show faraday
  2. Update Gemfile: gem 'faraday', '>= 2.14.1'
  3. Run update: bundle update faraday
  4. Verify the patch by attempting to pass //example.com to a test connection

References

Read the full report for CVE-2026-25765 on our website for more details including interactive diagrams and full exploit analysis.