Executive Summary

CVE-2026-33637 is a vulnerability in the Faraday Ruby HTTP client library versions 2.0.0 through 2.14.1. It allows protocol-relative URI objects to bypass host scoping restrictions when passed as URI objects instead of strings. This means that an attacker can craft a request that overrides the intended host with an attacker-controlled host, causing the application to send requests to malicious servers.

The vulnerability is a regression of a previous fix and enables off-host request forgery by forwarding sensitive connection-scoped values such as Authorization headers and default query parameters to the attacker-controlled host. This occurs because the protocol-relative URI (e.g., //evil.example/pwn) overrides the base host, allowing unauthorized requests to external hosts.

This issue was confirmed with proof-of-concept code and affects real adapters like net_http. The vulnerability is classified as CWE-918 (Server-Side Request Forgery) and was fixed in Faraday version 2.14.3.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to redirect HTTP requests from your application to an attacker-controlled host while preserving sensitive headers such as Authorization tokens and default query parameters.

As a result, your application might unintentionally disclose sensitive information or perform unauthorized actions on behalf of the user or system, potentially leading to data leakage or misuse of credentials.

However, the severity is considered low (CVSS score 0.0) due to limited impact, but it still enables off-host request forgery which can be exploited in certain scenarios.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the Faraday Ruby library allowing protocol-relative URI objects to bypass host scoping restrictions, enabling off-host request forgery. Detection involves identifying if your application uses vulnerable Faraday versions (2.0.0 through 2.14.1) and if it passes URI objects (instead of strings) to Faraday request methods.

To detect exploitation attempts on your network or system, monitor outgoing HTTP requests for unusual host redirections, especially requests where the host is overridden by protocol-relative URIs (e.g., URLs starting with //evil.example).

Since this is a library-level vulnerability, detection commands would focus on checking the installed Faraday version and scanning code for usage patterns.

• Check Faraday version in your Ruby environment: `bundle list | grep faraday` or `gem list faraday`
• Search your codebase for usage of Faraday request methods with URI objects: `grep -r "Faraday.*URI(" ./` or `grep -r "conn.get(URI" ./`
• Monitor outgoing HTTP requests for suspicious host overrides, e.g., using network monitoring tools or logging HTTP client requests.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the Faraday library to version 2.14.3 or later, where this vulnerability has been fixed.

As an immediate workaround, validate and sanitize any user input that is passed to Faraday request methods to prevent protocol-relative URLs from being used.

• Reject or sanitize paths starting with // followed by a non-/ character to prevent protocol-relative host overrides.
• Prepend './' to user-supplied paths before passing them to Faraday to ensure they are treated as relative paths.

Review your code to avoid passing URI objects directly to Faraday request methods; prefer passing strings that are properly validated.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0