Faraday HTTP Client Library Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Faraday HTTP client library, affecting versions through 2.14.0. The issue arises in the 'build_exclusive_url' method, where protocol-relative URLs can override the base URL's host, allowing attackers to redirect requests to arbitrary hosts. This vulnerability is exploitable when user-controlled input is passed to Faraday's request methods.

Impact

Exploitation of this vulnerability allows for Server-Side Request Forgery, where an attacker can manipulate the server to make requests to internal or external resources on their behalf.

Reproduction

To reproduce this vulnerability, create a Faraday connection and use the 'get' or 'post' methods with a protocol-relative URL that starts with '//' as the path. The request will be sent to the specified host instead of the intended base URL host.

Remediation

Users are advised to upgrade to Faraday version 2.14.1 or later, where this vulnerability has been patched. If an immediate upgrade is not possible, validate and sanitize user input before passing it to Faraday's request methods. Reject or strip input that starts with '//' followed by a non-'/' character, use an allowlist of permitted path prefixes, or prepend './' to user-supplied paths before passing them to Faraday.