CVE-2026-33637

Published: Mag 19, 2026 Last Modified: Mag 19, 2026
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object (rather than a String) to Faraday::Connection#build_exclusive_url. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and enables off-host request forgery: a request built from a fixed-base Faraday::Connection can be redirected to an attacker-controlled host, forwarding connection-scoped values such as Authorization headers and default query parameters. This issue has been fixed in version 2.14.3.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0003
Percentile
0,1th
Updated

Single Data Point

Only one EPSS measurement is available for this CVE. Trend analysis requires multiple data points over time.

918

Server-Side Request Forgery (SSRF)

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control
Potential Impacts:
Read Application Data Execute Unauthorized Code Or Commands Bypass Protection Mechanism
Applicable Platforms
Technologies: Web Based, AI/ML, Web Server
View CWE Details
https://github.com/lostisland/faraday/security/advisories/G…
https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
https://github.com/advisories/GHSA-33mh-2634-fwr2
https://github.com/advisories/GHSA-33mh-2634-fwr2
https://github.com/lostisland/faraday/security/advisories/G…
https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484