GHSA/SYNC: 1 new faraday advisory

gems/faraday/CVE-2026-33637.yml

@@ -0,0 +1,47 @@
+---
+gem: faraday
+cve: 2026-33637
+ghsa: 5rv5-xj5j-3484
+url: https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
+title: Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2 -
+  protocol-relative URI objects still bypass host scoping
+date: 2026-05-18
+description: |
+  ## Summary
+
+  `Faraday::Connection#build_exclusive_url` still allows protocol-relative
+  host override when the request target is provided as a `URI` object
+  instead of a `String`. This bypasses the February 2026 fix for
+  `GHSA-33mh-2634-fwr2` and can redirect a request built from a fixed-base
+  `Faraday::Connection` to an attacker-controlled host while preserving
+  connection-scoped headers such as `Authorization`.
+
+  ## Supporting Materials
+
+  - Existing advisory for the original string-based issue: GHSA-33mh-2634-fwr2
+  - Existing CVE for the original string-based issue: CVE-2026-25765
+  - Existing regression tests for the string-only fix:
+    - spec/faraday/connection_spec.rb:314-345
+  - Existing test proving supported URI request input:
+    - spec/faraday/request_spec.rb:26-31
+
+  ## Impact
+
+  The direct consequence is off-host request forgery from code paths
+  that believe they are constrained to a fixed base URL. If the
+  connection carries default headers or query parameters, those
+  values are forwarded to the attacker-selected host.
+cvss_v3: 0.0
+unaffected_versions:
+  - "< 2.0.0"
+patched_versions:
+  - ">= 2.14.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-33637
+    - https://github.com/lostisland/faraday/releases/tag/v2.14.2
+    - https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
+    - https://github.com/advisories/GHSA-33mh-2634-fwr2
+    - https://github.com/advisories/GHSA-5rv5-xj5j-3484
+notes: |
+  - ZERO CVSS value in GHSA and NVD