by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
23 packages
- faraday
- faraday-cli
- faraday-agent-dispatcher
- ocamlPackages.faraday
- ocamlPackages.faraday-lwt
- ocamlPackages.faraday-async
- ocamlPackages_latest.faraday
- rubyPackages.faraday-net_http
- ocamlPackages.faraday-lwt-unix
- ocamlPackages_latest.faraday-lwt
- python312Packages.faraday-plugins
- python313Packages.faraday-plugins
- python314Packages.faraday-plugins
- rubyPackages_3_1.faraday-net_http
- rubyPackages_3_2.faraday-net_http
- ocamlPackages_latest.faraday-async
- ocamlPackages_latest.faraday-lwt-unix
- python312Packages.faraday-agent-parameters-types
- python313Packages.faraday-agent-parameters-types
- rubyPackages_4_0.faraday-net_http
- rubyPackages_3_4.faraday-net_http
- rubyPackages_3_3.faraday-net_http
- python314Packages.faraday-agent-parameters-types
- @LeSuisse accepted
- @LeSuisse published on GitHub
Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
Affected products
- ==< 2.14.1
Matching in nixpkgs
pkgs.rubyPackages.faraday
None
pkgs.rubyPackages_3_1.faraday
None
pkgs.rubyPackages_3_2.faraday
None
pkgs.rubyPackages_3_3.faraday
None
pkgs.rubyPackages_3_4.faraday
None
Ignored packages (23)
pkgs.faraday
LND Channel Management Tools
-
nixos-unstable 0.2.14-alpha
- nixpkgs-unstable 0.2.14-alpha
- nixos-unstable-small 0.2.14-alpha
-
nixos-25.11 0.2.14-alpha
- nixos-25.11-small 0.2.14-alpha
- nixpkgs-25.11-darwin 0.2.14-alpha
pkgs.faraday-cli
Command Line Interface for Faraday
pkgs.ocamlPackages.faraday
Serialization library built for speed and memory efficiency
pkgs.faraday-agent-dispatcher
Tool to send result from tools to the Faraday Platform
pkgs.ocamlPackages.faraday-lwt
Lwt support for Faraday
pkgs.ocamlPackages.faraday-async
Async support for Faraday
pkgs.ocamlPackages_latest.faraday
Serialization library built for speed and memory efficiency
pkgs.rubyPackages.faraday-net_http
None
pkgs.ocamlPackages.faraday-lwt-unix
Lwt + Unix support for Faraday
pkgs.ocamlPackages_latest.faraday-lwt
Lwt support for Faraday
pkgs.python312Packages.faraday-plugins
Security tools report parsers for Faraday
pkgs.python313Packages.faraday-plugins
Security tools report parsers for Faraday
pkgs.python314Packages.faraday-plugins
Security tools report parsers for Faraday
pkgs.rubyPackages_3_1.faraday-net_http
None
pkgs.rubyPackages_3_2.faraday-net_http
None
pkgs.rubyPackages_3_3.faraday-net_http
None
pkgs.rubyPackages_3_4.faraday-net_http
None
pkgs.rubyPackages_4_0.faraday-net_http
None
pkgs.ocamlPackages_latest.faraday-async
Async support for Faraday
pkgs.ocamlPackages_latest.faraday-lwt-unix
Lwt + Unix support for Faraday
pkgs.python312Packages.faraday-agent-parameters-types
Collection of Faraday agent parameters types
pkgs.python313Packages.faraday-agent-parameters-types
Collection of Faraday agent parameters types
pkgs.python314Packages.faraday-agent-parameters-types
Collection of Faraday agent parameters types
Package maintainers
-
@prusnak Pavol Rusnak <pavol@rusnak.io>
-
@ProofOfKeags Keagan McClelland <keagan.mcclelland@gmail.com>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@vbgl Vincent Laporte <Vincent.Laporte@gmail.com>