Vulnerable Library - faraday-retry-2.2.1.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/uri-0.13.1.gem
Found in HEAD commit: 820e7bde0ba0cb6a74e83573f2f3e1ebd5262d35
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Exploit Maturity |
EPSS |
Dependency |
Type |
Fixed in (faraday-retry version) |
Remediation Possible** |
Reachability |
| CVE-2026-25765 |
 Medium |
5.8 |
Not Defined |
0.0% |
faraday-2.12.0.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2025-61594 |
Medium |
4.3 |
Not Defined |
0.0% |
uri-0.13.1.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2025-27221 |
 Low |
3.2 |
Not Defined |
0.1% |
uri-0.13.1.gem |
Transitive |
N/A* |
❌ |
|
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-25765
Vulnerable Library - faraday-2.12.0.gem
Library home page: https://rubygems.org/gems/faraday-2.12.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/faraday-2.12.0.gem
Dependency Hierarchy:
- faraday-retry-2.2.1.gem (Root Library)
- ❌ faraday-2.12.0.gem (Vulnerable Library)
Found in HEAD commit: 820e7bde0ba0cb6a74e83573f2f3e1ebd5262d35
Found in base branch: master
Vulnerability Details
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
Publish Date: 2026-02-09
URL: CVE-2026-25765
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-33mh-2634-fwr2
Release Date: 2026-02-09
Fix Resolution: https://github.com/lostisland/faraday.git - v2.14.1,faraday - 2.14.1
CVE-2025-61594
Vulnerable Library - uri-0.13.1.gem
URI is a module providing classes to handle Uniform Resource Identifiers
Library home page: https://rubygems.org/gems/uri-0.13.1.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/uri-0.13.1.gem
Dependency Hierarchy:
- faraday-retry-2.2.1.gem (Root Library)
- faraday-2.12.0.gem
- faraday-net_http-3.3.0.gem
- net-http-0.4.1.gem
- ❌ uri-0.13.1.gem (Vulnerable Library)
Found in HEAD commit: 820e7bde0ba0cb6a74e83573f2f3e1ebd5262d35
Found in base branch: master
Vulnerability Details
URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.
Publish Date: 2025-12-30
URL: CVE-2025-61594
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-30
Fix Resolution: https://github.com/ruby/uri.git - v0.12.5,https://github.com/ruby/uri.git - v1.0.4,https://github.com/ruby/uri.git - v0.13.3
CVE-2025-27221
Vulnerable Library - uri-0.13.1.gem
URI is a module providing classes to handle Uniform Resource Identifiers
Library home page: https://rubygems.org/gems/uri-0.13.1.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/uri-0.13.1.gem
Dependency Hierarchy:
- faraday-retry-2.2.1.gem (Root Library)
- faraday-2.12.0.gem
- faraday-net_http-3.3.0.gem
- net-http-0.4.1.gem
- ❌ uri-0.13.1.gem (Vulnerable Library)
Found in HEAD commit: 820e7bde0ba0cb6a74e83573f2f3e1ebd5262d35
Found in base branch: master
Vulnerability Details
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
Publish Date: 2025-03-03
URL: CVE-2025-27221
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (3.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-22h5-pq3x-2gf2
Release Date: 2025-03-03
Fix Resolution: uri - 0.11.3,uri - 1.0.3,uri - 0.12.4,uri - 0.13.2
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/uri-0.13.1.gem
Found in HEAD commit: 820e7bde0ba0cb6a74e83573f2f3e1ebd5262d35
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - faraday-2.12.0.gem
Library home page: https://rubygems.org/gems/faraday-2.12.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/faraday-2.12.0.gem
Dependency Hierarchy:
Found in HEAD commit: 820e7bde0ba0cb6a74e83573f2f3e1ebd5262d35
Found in base branch: master
Vulnerability Details
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
Publish Date: 2026-02-09
URL: CVE-2026-25765
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-33mh-2634-fwr2
Release Date: 2026-02-09
Fix Resolution: https://github.com/lostisland/faraday.git - v2.14.1,faraday - 2.14.1
Vulnerable Library - uri-0.13.1.gem
URI is a module providing classes to handle Uniform Resource Identifiers
Library home page: https://rubygems.org/gems/uri-0.13.1.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/uri-0.13.1.gem
Dependency Hierarchy:
Found in HEAD commit: 820e7bde0ba0cb6a74e83573f2f3e1ebd5262d35
Found in base branch: master
Vulnerability Details
URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.
Publish Date: 2025-12-30
URL: CVE-2025-61594
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-12-30
Fix Resolution: https://github.com/ruby/uri.git - v0.12.5,https://github.com/ruby/uri.git - v1.0.4,https://github.com/ruby/uri.git - v0.13.3
Vulnerable Library - uri-0.13.1.gem
URI is a module providing classes to handle Uniform Resource Identifiers
Library home page: https://rubygems.org/gems/uri-0.13.1.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /tmp/containerbase/cache/.ruby/cache/uri-0.13.1.gem
Dependency Hierarchy:
Found in HEAD commit: 820e7bde0ba0cb6a74e83573f2f3e1ebd5262d35
Found in base branch: master
Vulnerability Details
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
Publish Date: 2025-03-03
URL: CVE-2025-27221
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (3.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-22h5-pq3x-2gf2
Release Date: 2025-03-03
Fix Resolution: uri - 0.11.3,uri - 1.0.3,uri - 0.12.4,uri - 0.13.2