Faraday Off-Host Request Forgery Vulnerability via Protocol-Relative URL Host Override

A vulnerability in the Faraday HTTP client library, affecting versions 2.0.0 through 2.14.1, allows for off-host request forgery. This issue arises because protocol-relative URLs can override the host of a request when the target is provided as a URI object to the 'Faraday::Connection#build_exclusive_url' method. As a result, requests can be redirected to an attacker-controlled host, while still forwarding connection-scoped values such as Authorization headers and default query parameters. This vulnerability exploits a flaw in how Faraday handles user-supplied input, bypassing a previous fix implemented in February 2026.

Impact

Exploitation of this vulnerability leads to off-host request forgery, allowing an attacker to redirect requests to a malicious server while preserving sensitive headers like Authorization.

Reproduction

The vulnerability can be reproduced by creating a Faraday connection with a fixed base URL and then using a protocol-relative URI object as the request target. The request will be sent to the attacker-controlled host instead of the intended base URL, with any connection-scoped headers such as Authorization included.

Remediation

Users are advised to upgrade to Faraday version 2.14.2 or 1.10.5. If an immediate upgrade is not possible, validate and sanitize user input before passing it to Faraday request methods. Reject or strip input that starts with '//' followed by a non-'/' character, use an allowlist of permitted path prefixes, or prepend './' to all user-supplied paths before passing them to Faraday.