AI Copilot Neo Strikes Again: Uncovering CVE-2026-25765 – A Deep Dive into AI-Powered SSRF Discovery + Video

Listen to this Post

Featured Image

Introduction:

The intersection of artificial intelligence and cybersecurity has reached a new milestone with ProjectDiscovery’s Neo, an AI security copilot, earning its first CVE credit for discovering a Server-Side Request Forgery (SSRF) vulnerability in the widely used Ruby HTTP client library, Faraday. This event underscores a paradigm shift: AI tools are no longer just automating repetitive tasks but are now capable of performing sophisticated, context-aware code audits that rival human experts. For security teams and developers, this means the attack surface is being scrutinized by intelligent agents that can trace complex code paths, validate exploits, and produce actionable reports—fundamentally changing how we approach software assurance.

Learning Objectives:

  • Understand the mechanics and impact of SSRF vulnerabilities, specifically CVE-2026-25765 in Faraday.
  • Learn how AI-powered tools like Neo perform deep code analysis to discover zero-days.
  • Acquire practical skills to test for, mitigate, and integrate AI-based security scanning into your development lifecycle.

You Should Know:

  1. The Faraday SSRF Vulnerability (CVE-2026-25765): A Technical Breakdown
    Faraday is a popular HTTP client abstraction layer for Ruby, used by countless applications to make web requests. Neo analyzed Faraday’s source code and identified a subtle edge case in the URL construction path that could lead to Server-Side Request Forgery. The issue, present in versions up to 2.14.0, allowed an attacker to manipulate input in a way that the underlying HTTP request would be sent to an unintended internal or external host, bypassing intended restrictions.

Step-by-step to understand the vulnerable pattern:

  • In Ruby, Faraday allows dynamic URL building via options like `url` and params.
  • The vulnerability likely stemmed from improper validation of user-supplied hostnames or schemes during redirect handling or connection reuse.
  • To simulate a similar scenario (conceptual, not the exact exploit), consider this vulnerable code snippet:
    require 'faraday'</li>
    </ul>
    
    def fetch_user_input(url)
    conn = Faraday.new(url: url) do |f|
    f.adapter Faraday.default_adapter
    end
    conn.get('/')  The initial URL might be sanitized, but redirects may not be
    end
    
    Attacker supplies: http://169.254.169.254/latest/meta-data/
    fetch_user_input(params[:url])
    

    – The fix in Faraday 2.14.1 involved stricter validation of redirect targets and URL normalization, ensuring that any redirect destination is checked against an allowlist or that unsafe schemes (like file://, gopher://) are blocked.

    Commands to check your Faraday version:

     In a Ruby project
    bundle list | grep faraday
     Or if using Gemfile
    gem list faraday
     Update to patched version
    bundle update faraday
    
    1. How Neo’s AI Engine Performs Deep Code Analysis
      Neo is designed to emulate a senior security engineer’s thought process. It statically analyzes codebases, traces data flow, and identifies potential vulnerabilities by understanding the context of function calls, variable assignments, and external inputs. In the Faraday case, Neo traced the URL construction path from user input to the underlying HTTP request execution, pinpointing where validation was missing.

    Conceptual steps to replicate an AI‑assisted code review (using open‑source tools as a proxy):
    – Step 1: Static Analysis with CodeQL or Semgrep

     Install Semgrep
    python3 -m pip install semgrep
     Run a rule to detect SSRF in Ruby (example rule)
    semgrep --config "p/ruby" --lang ruby --pattern 'Faraday.new(url: $X)' /path/to/code
    

    – Step 2: Dynamic Taint Tracking (using a tool like Bearer)

    bearer scan /path/to/project
    

    – Step 3: Manual Validation (like Neo’s runtime step)
    – Set up a test environment with Faraday and a simple Sinatra server that logs requests.
    – Craft malicious inputs (e.g., `http://169.254.169.254/`) and observe if Faraday follows redirects to internal IPs.

    1. Hands-On SSRF Testing: Commands and Techniques for Pentesters
      SSRF vulnerabilities allow an attacker to make requests from the vulnerable server to internal or external resources. Testing for SSRF requires a combination of manual and automated checks.

    Linux/macOS commands to test for basic SSRF:

     Use curl to simulate a server-side request to internal metadata endpoints
    curl -X POST http://target.com/page -d "url=http://169.254.169.254/latest/meta-data/"
     Use Burp Collaborator or a custom listener
    nc -lvnp 8080
     Then trigger a request to your listener via the vulnerable parameter
    curl "http://target.com/fetch?url=http://your-server-ip:8080/ssrf-test"
    

    Windows PowerShell equivalent:

     Using Invoke-WebRequest
    Invoke-WebRequest -Uri "http://target.com/page" -Method POST -Body @{url="http://169.254.169.254/latest/meta-data/"}
    

    Advanced SSRF testing with a proxy (Burp Suite):

    • Intercept requests and modify the `url` parameter to point to internal addresses (e.g., `http://127.0.0.1:22`, `http://172.16.0.1/`, file:///etc/passwd).
    • Use Burp’s Intruder to fuzz for open ports on internal networks.

    Automated scanning with Nuclei (from ProjectDiscovery):

    nuclei -u http://target.com -t exposures/configs/ssrf -var "url=http://internal-service"
    
    1. Mitigating SSRF in HTTP Clients: Configuration and Best Practices
      Developers using Faraday (or any HTTP client) must implement defense-in-depth to prevent SSRF.

    Ruby/Faraday-specific hardening:

    • Disable redirects unless explicitly needed:
      conn = Faraday.new(url: 'http://example.com') do |f|
      f.use Faraday::FollowRedirects::Middleware, limit: 0  disables redirects
      f.adapter Faraday.default_adapter
      end
      
    • Implement an allowlist for destinations:
      allowed_hosts = ['api.trusted.com', '192.168.1.100']
      def validate_url(url)
      uri = URI.parse(url)
      raise "Blocked host" unless allowed_hosts.include?(uri.host)
      end
      
    • Use Faraday middleware to sanitize URLs before sending:
      class SanitizeUrlMiddleware < Faraday::Middleware
      def call(env)
      env.url = sanitize(env.url)
      @app.call(env)
      end
      def sanitize(url)
      Remove any userinfo, block private IPs, etc.
      end
      end
      conn = Faraday.new(url: 'http://example.com') do |f|
      f.use SanitizeUrlMiddleware
      f.adapter Faraday.default_adapter
      end
      

    General SSRF mitigation checklist:

    • Validate and sanitize all user‑supplied URLs (scheme, host, port).
    • Block access to private IP ranges (RFC 1918, loopback, link‑local).
    • Use a dedicated DNS resolver that resolves only public addresses.
    • Run HTTP clients in a sandboxed environment with network restrictions.

    5. Integrating AI-Powered Security Scanners into CI/CD Pipelines

    To catch vulnerabilities like the Faraday SSRF before they reach production, teams can integrate tools like Neo (or similar) into their continuous integration workflow. While Neo itself may be a commercial product, the concept can be emulated with open-source tools.

    Example GitHub Actions workflow for AI-assisted scanning (conceptual):

    name: Security Scan
    on: [bash]
    jobs:
    ai-scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: Run AI Code Review
    run: |
     Simulate Neo-like scanning with Semgrep and custom rules
    semgrep --config auto --json -o results.json
     Optionally upload results to a dashboard
    - name: Upload Findings
    uses: actions/upload-artifact@v3
    with:
    name: security-results
    path: results.json
    

    Jenkins pipeline stage:

    stage('AI Security Scan') {
    steps {
    sh 'semgrep --config auto --json -o semgrep.json .'
    archiveArtifacts artifacts: 'semgrep.json'
    }
    }
    
    1. From Discovery to CVE: The Lifecycle of CVE-2026-25765
      Understanding how Neo reported the Faraday vulnerability provides insight into the responsible disclosure process.
    • Discovery: Neo analyzed Faraday’s source, traced the URL construction path, and identified a missing validation step that could allow an attacker to control the final request destination.
    • Validation: Neo’s runtime component executed the code with malicious inputs to confirm the SSRF was exploitable.
    • Reporting: A detailed write‑up was produced, including steps to reproduce, and sent to Faraday maintainers.
    • Patch: Faraday version 2.14.1 was released with a fix, and the CVE was assigned (CVE-2026-25765) and published in the NVD.

    Commands to verify patch application:

     In your project, ensure Gemfile or gemspec uses >= 2.14.1
    grep faraday Gemfile
    bundle install
     Run a test to confirm the vulnerability is mitigated (e.g., try a request to a private IP)
    

    7. The Future of AI in Vulnerability Research

    The Faraday discovery is just the beginning. AI models like Neo, trained on vast codebases and security patterns, will increasingly find complex vulnerabilities that traditional static analyzers miss. This will democratize security research, enabling smaller teams to compete with well-funded bug bounty hunters. However, it also raises concerns: malicious actors could use similar AI tools to find 0-days faster. The security community must adapt by developing AI‑driven defenses and fostering collaboration between AI vendors, researchers, and open‑source maintainers.

    What Undercode Say:

    • Key Takeaway 1: AI copilots like Neo are now capable of discovering real-world CVEs by performing deep, context‑aware code analysis, validating exploits, and producing comprehensive reports—tasks previously requiring human expertise.
    • Key Takeaway 2: The Faraday SSRF vulnerability (CVE-2026-25765) highlights the importance of rigorous input validation and redirect handling in HTTP client libraries; teams must update to patched versions and adopt secure coding practices.

    Analysis: The integration of AI into security research is not a futuristic concept—it’s here. ProjectDiscovery’s Neo has demonstrated that AI can autonomously navigate codebases, identify subtle security flaws, and contribute to the CVE database. This shifts the landscape: security teams can now leverage AI to augment their efforts, scanning entire codebases continuously. However, this also means defenders must stay ahead by embracing AI‑powered tools themselves, as attackers will inevitably weaponize similar technology. The Faraday case serves as a wake‑up call for all software teams: your code is now being audited by machines that never tire and never miss a line. It’s time to integrate AI‑driven security into your SDLC proactively.

    Prediction:

    Within the next two years, AI‑powered vulnerability discovery will account for a significant percentage of all newly reported CVEs. Bug bounty platforms will evolve to include AI‑only challenges, and we will see the emergence of AI‑versus‑AI security testing. Organizations that fail to adopt these tools will fall behind in both security posture and development velocity. The Faraday CVE is the first of many such discoveries, heralding an era where the most critical vulnerabilities are found not by humans, but by intelligent algorithms that understand code better than we do.

    ▶️ Related Video (78% Match):

    🎯Let’s Practice For Free:

    IT/Security Reporter URL:

    Reported By: Andymcao Some – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow UndercodeTesting & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky