SSRF in Faraday_project Faraday

CVE-2026-33637

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object (rather th…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (1.3th percentile) — read the EPSS interpretation.

Affected products

Faraday_project Faraday
Lostisland Faraday — versions >= 2.0.0, <= 2.14.2

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

security-advisories@github.com (x_refsource_CONFIRM, Exploit, Vendor Advisory)
security-advisories@github.com (x_refsource_MISC, Vendor Advisory)