Updated advisory posts against rubysec/ruby-advisory-db@f6f8da4

jasnow · RubySec CI · commit c1abd53fddeb · 2026-05-27T02:18:06.000Z
diff --git a/advisories/_posts/2026-05-18-CVE-2026-33637.md b/advisories/_posts/2026-05-18-CVE-2026-33637.md
@@ -0,0 +1,54 @@
+---
+layout: advisory
+title: 'CVE-2026-33637 (faraday): Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2
+  - protocol-relative URI objects still bypass host scoping'
+comments: false
+categories:
+- faraday
+advisory:
+  gem: faraday
+  cve: 2026-33637
+  ghsa: 5rv5-xj5j-3484
+  url: https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
+  title: Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2 - protocol-relative
+    URI objects still bypass host scoping
+  date: 2026-05-18
+  description: |-
+    ## Summary
+
+    `Faraday::Connection#build_exclusive_url` still allows protocol-relative
+    host override when the request target is provided as a `URI` object
+    instead of a `String`. This bypasses the February 2026 fix for
+    `GHSA-33mh-2634-fwr2` and can redirect a request built from a fixed-base
+    `Faraday::Connection` to an attacker-controlled host while preserving
+    connection-scoped headers such as `Authorization`.
+
+    ## Supporting Materials
+
+    - Existing advisory for the original string-based issue: GHSA-33mh-2634-fwr2
+    - Existing CVE for the original string-based issue: CVE-2026-25765
+    - Existing regression tests for the string-only fix:
+      - spec/faraday/connection_spec.rb:314-345
+    - Existing test proving supported URI request input:
+      - spec/faraday/request_spec.rb:26-31
+
+    ## Impact
+
+    The direct consequence is off-host request forgery from code paths
+    that believe they are constrained to a fixed base URL. If the
+    connection carries default headers or query parameters, those
+    values are forwarded to the attacker-selected host.
+  cvss_v3: 0.0
+  unaffected_versions:
+  - "< 2.0.0"
+  patched_versions:
+  - ">= 2.14.2"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-33637
+    - https://github.com/lostisland/faraday/releases/tag/v2.14.2
+    - https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
+    - https://github.com/advisories/GHSA-33mh-2634-fwr2
+    - https://github.com/advisories/GHSA-5rv5-xj5j-3484
+  notes: "- ZERO CVSS value in GHSA and NVD\n"
+---
