Skip to content

faraday-retry-2.2.1.gem: 5 vulnerabilities (highest severity is: 7.5) #261

Description

@mend-for-github-com
Vulnerable Library - faraday-retry-2.2.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/faraday-2.12.0.gem

Found in HEAD commit: 820e7bde0ba0cb6a74e83573f2f3e1ebd5262d35

Vulnerabilities

Vulnerability Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (faraday-retry version) Remediation Possible** Reachability
CVE-2026-54297 High 7.5 Not Defined 0.391% faraday-2.12.0.gem Transitive N/A*
CVE-2026-25765 Medium 5.8 Not Defined 0.351% faraday-2.12.0.gem Transitive N/A*
CVE-2025-61594 Medium 4.3 Not Defined 0.51% uri-0.13.1.gem Transitive N/A*
CVE-2025-27221 Low 3.2 Not Defined 0.472% uri-0.13.1.gem Transitive N/A*
CVE-2026-33637 Low 0.0 Not Defined 0.272% faraday-2.12.0.gem Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-54297

Vulnerable Library - faraday-2.12.0.gem

Library home page: https://rubygems.org/gems/faraday-2.12.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/faraday-2.12.0.gem

Dependency Hierarchy:

  • faraday-retry-2.2.1.gem (Root Library)
    • faraday-2.12.0.gem (Vulnerable Library)

Found in HEAD commit: 820e7bde0ba0cb6a74e83573f2f3e1ebd5262d35

Found in base branch: master

Vulnerability Details

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. From 1.0.0 until 1.10.6 and 2.14.3, Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nesting depth. A crafted query string causes Faraday to build a deeply nested Ruby Hash structure. The internal dehash routine then recursively walks this attacker-controlled structure without a depth limit. At sufficient depth, Ruby raises an uncaught SystemStackError (stack level too deep), crashing the calling thread or worker. This can lead to denial of service in applications that pass attacker-controlled query strings to Faraday's nested query parsing or URL-building paths. This vulnerability is fixed in 1.10.6 and 2.14.3.

Publish Date: 2026-06-24

URL: CVE-2026-54297

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.391%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-98m9-hrrm-r99r

Release Date: 2026-06-19

Fix Resolution: faraday - 2.14.3,faraday - 1.10.6

CVE-2026-25765

Vulnerable Library - faraday-2.12.0.gem

Library home page: https://rubygems.org/gems/faraday-2.12.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/faraday-2.12.0.gem

Dependency Hierarchy:

  • faraday-retry-2.2.1.gem (Root Library)
    • faraday-2.12.0.gem (Vulnerable Library)

Found in HEAD commit: 820e7bde0ba0cb6a74e83573f2f3e1ebd5262d35

Found in base branch: master

Vulnerability Details

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.

Publish Date: 2026-02-09

URL: CVE-2026-25765

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.351%

CVSS 3 Score Details (5.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-33mh-2634-fwr2

Release Date: 2026-02-09

Fix Resolution: https://github.com/lostisland/faraday.git - v2.14.1,faraday - 2.14.1

CVE-2025-61594

Vulnerable Library - uri-0.13.1.gem

URI is a module providing classes to handle Uniform Resource Identifiers

Library home page: https://rubygems.org/gems/uri-0.13.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/uri-0.13.1.gem

Dependency Hierarchy:

  • faraday-retry-2.2.1.gem (Root Library)
    • faraday-2.12.0.gem
      • faraday-net_http-3.3.0.gem
        • net-http-0.4.1.gem
          • uri-0.13.1.gem (Vulnerable Library)

Found in HEAD commit: 820e7bde0ba0cb6a74e83573f2f3e1ebd5262d35

Found in base branch: master

Vulnerability Details

URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.

Publish Date: 2025-12-30

URL: CVE-2025-61594

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.51%

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-12-30

Fix Resolution: https://github.com/ruby/uri.git - v0.12.5,https://github.com/ruby/uri.git - v1.0.4,https://github.com/ruby/uri.git - v0.13.3

CVE-2025-27221

Vulnerable Library - uri-0.13.1.gem

URI is a module providing classes to handle Uniform Resource Identifiers

Library home page: https://rubygems.org/gems/uri-0.13.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/uri-0.13.1.gem

Dependency Hierarchy:

  • faraday-retry-2.2.1.gem (Root Library)
    • faraday-2.12.0.gem
      • faraday-net_http-3.3.0.gem
        • net-http-0.4.1.gem
          • uri-0.13.1.gem (Vulnerable Library)

Found in HEAD commit: 820e7bde0ba0cb6a74e83573f2f3e1ebd5262d35

Found in base branch: master

Vulnerability Details

In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.

Publish Date: 2025-03-03

URL: CVE-2025-27221

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.472%

CVSS 3 Score Details (3.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-22h5-pq3x-2gf2

Release Date: 2025-03-03

Fix Resolution: uri - 0.11.3,uri - 1.0.3,uri - 0.12.4,uri - 0.13.2

CVE-2026-33637

Vulnerable Library - faraday-2.12.0.gem

Library home page: https://rubygems.org/gems/faraday-2.12.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/faraday-2.12.0.gem

Dependency Hierarchy:

  • faraday-retry-2.2.1.gem (Root Library)
    • faraday-2.12.0.gem (Vulnerable Library)

Found in HEAD commit: 820e7bde0ba0cb6a74e83573f2f3e1ebd5262d35

Found in base branch: master

Vulnerability Details

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object (rather than a String) to Faraday::Connection#build_exclusive_url. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and enables off-host request forgery: a request built from a fixed-base Faraday::Connection can be redirected to an attacker-controlled host, forwarding connection-scoped values such as Authorization headers and default query parameters. This issue has been fixed in version 2.14.3.

Publish Date: 2026-05-19

URL: CVE-2026-33637

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.272%

CVSS 3 Score Details (0.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rv5-xj5j-3484

Release Date: 2026-05-18

Fix Resolution: faraday - 2.14.2

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions