diff --git a/SPECS/rubygem-faraday/CVE-2026-25765.patch b/SPECS/rubygem-faraday/CVE-2026-25765.patch
new file mode 100644
index 00000000000..cce35d1593b
--- /dev/null
+++ b/SPECS/rubygem-faraday/CVE-2026-25765.patch
@@ -0,0 +1,88 @@
+From 0f6f073f236f38266014a5b0b8e594ac70943e55 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Thu, 2 Apr 2026 15:19:24 +0000
+Subject: [PATCH] Fix: Guard against protocol-relative URLs in
+ build_exclusive_url; adjust Rubocop; add specs (GHSA-33mh-2634-fwr2)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc.patch
+---
+ .rubocop_todo.yml               |  2 +-
+ lib/faraday/connection.rb       |  2 ++
+ spec/faraday/connection_spec.rb | 34 +++++++++++++++++++++++++++++++++
+ 3 files changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
+index fbec6de..3c75338 100644
+--- a/.rubocop_todo.yml
++++ b/.rubocop_todo.yml
+@@ -31,7 +31,7 @@ Metrics/AbcSize:
+ # Offense count: 4
+ # Configuration parameters: CountComments, CountAsOne.
+ Metrics/ClassLength:
+-  Max: 230
++  Max: 235
+ 
+ # Offense count: 9
+ # Configuration parameters: AllowedMethods, AllowedPatterns, IgnoredMethods.
+diff --git a/lib/faraday/connection.rb b/lib/faraday/connection.rb
+index 3672856..f97aab2 100644
+--- a/lib/faraday/connection.rb
++++ b/lib/faraday/connection.rb
+@@ -474,6 +474,8 @@ module Faraday
+       if url && base.path && base.path !~ %r{/$}
+         base.path = "#{base.path}/" # ensure trailing slash
+       end
++      # Ensure relative url will be parsed correctly (such as `service:search` or `//evil.com`)
++      url = "./#{url}" if url.respond_to?(:start_with?) && url.start_with?('//')
+       url = url.to_s.gsub(':', '%3A') if url && URI.parse(url.to_s).opaque
+       uri = url ? base + url : base
+       if params
+diff --git a/spec/faraday/connection_spec.rb b/spec/faraday/connection_spec.rb
+index 05d9c28..3ee9daa 100644
+--- a/spec/faraday/connection_spec.rb
++++ b/spec/faraday/connection_spec.rb
+@@ -310,6 +310,40 @@ RSpec.describe Faraday::Connection do
+         expect(uri.to_s).to eq('http://service.com/api/service%3Asearch?limit=400')
+       end
+     end
++
++    context 'with protocol-relative URL (GHSA-33mh-2634-fwr2)' do
++      it 'does not allow host override with //evil.com/path' do
++        conn.url_prefix = 'http://httpbingo.org/api'
++        uri = conn.build_exclusive_url('//evil.com/path')
++        expect(uri.host).to eq('httpbingo.org')
++      end
++
++      it 'does not allow host override with //evil.com:8080/path' do
++        conn.url_prefix = 'http://httpbingo.org/api'
++        uri = conn.build_exclusive_url('//evil.com:8080/path')
++        expect(uri.host).to eq('httpbingo.org')
++      end
++
++      it 'does not allow host override with //user:pass@evil.com/path' do
++        conn.url_prefix = 'http://httpbingo.org/api'
++        uri = conn.build_exclusive_url('//user:pass@evil.com/path')
++        expect(uri.host).to eq('httpbingo.org')
++      end
++
++      it 'does not allow host override with ///evil.com' do
++        conn.url_prefix = 'http://httpbingo.org/api'
++        uri = conn.build_exclusive_url('///evil.com')
++        expect(uri.host).to eq('httpbingo.org')
++      end
++
++      it 'still allows single-slash absolute paths' do
++        conn.url_prefix = 'http://httpbingo.org/api'
++        uri = conn.build_exclusive_url('/safe/path')
++        expect(uri.host).to eq('httpbingo.org')
++        expect(uri.path).to eq('/safe/path')
++      end
++    end
++
+   end
+ 
+   describe '#build_url' do
+-- 
+2.45.4
+
diff --git a/SPECS/rubygem-faraday/rubygem-faraday.spec b/SPECS/rubygem-faraday/rubygem-faraday.spec
index 9a3fcf6e88d..c787dbad7a9 100644
--- a/SPECS/rubygem-faraday/rubygem-faraday.spec
+++ b/SPECS/rubygem-faraday/rubygem-faraday.spec
@@ -3,13 +3,14 @@
 Summary:        HTTP/REST API client library
 Name:           rubygem-faraday
 Version:        2.5.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Languages
 URL:            https://lostisland.github.io/faraday/
 Source0:        https://github.com/lostisland/faraday/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz
+Patch0:         CVE-2026-25765.patch
 BuildRequires:  ruby
 Requires:       rubygem-multipart-post < 3
 Requires:       rubygem-ruby2_keywords
@@ -23,6 +24,7 @@ when processing the request/response cycle.
 
 %prep
 %setup -q -n %{gem_name}-%{version}
+%patch 0 -p1
 
 %build
 gem build %{gem_name}
@@ -36,6 +38,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-
 %{gemdir}
 
 %changelog
+* Thu Apr 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.5.2-2
+- Patch for CVE-2026-25765
+
 * Wed Sep 07 2022 Neha Agarwal <nehaagarwal@microsoft.com> - 2.5.2-1
 - Update to v2.5.2.