Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faradays build_exclusive_url method (in lib/faraday/connection.rb) uses Rubys URI#merge to combine the connections base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URLs host/authority component. This means that if any application passes user-controlled input to Faradays get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.
Weakness
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.