ByteOS Network

NVD Vulnerability Details :

CVE-2026-33637

Awaiting Analysis

Source-security-advisories@github.com

Published At-19 May, 2026 | 19:16

Updated At-19 May, 2026 | 21:08

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object (rather than a String) to Faraday::Connection#build_exclusive_url. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and enables off-host request forgery: a request built from a fixed-base Faraday::Connection can be redirected to an attacker-controlled host, forwarding connection-scoped values such as Authorization headers and default query parameters. This issue has been fixed in version 2.14.3.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	0.0	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Type: Secondary

Version: 3.1

Base score: 0.0

Base severity: NONE

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Weaknesses

CWE ID	Type	Source
CWE-918	Primary	security-advisories@github.com

CWE ID: CWE-918

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/advisories/GHSA-33mh-2634-fwr2	security-advisories@github.com	N/A
https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484	security-advisories@github.com	N/A
https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484	134c704f-9b21-4f2e-91b3-4a467353bcc0	N/A