Surrealdb · Surrealdb · CVE-2025-71390
**Name of the Vulnerable Software and Affected Versions**
SurrealDB versions prior to 2.2.6
SurrealDB versions prior to 2.3.6
SurrealDB versions prior to 2.1.8
SurrealDB versions prior to 3.0.0-alpha.8
**Description**
An authenticated user can bypass network access restrictions in `http::*` functions. The software fails to validate DNS-resolved hostnames against the `--deny-net` restriction. By invoking `http::<fn>(<url>)` with a hostname that resolves to a denied IP address, the server issues the request and returns the response. This allows access to restricted internal endpoints, potentially leading to the retrieval or alteration of sensitive information and credentials.
**Recommendations**
Update SurrealDB to version 2.2.6 or later.
Update SurrealDB to version 2.3.6 or later.
Update SurrealDB to version 2.1.8 or later.
Update SurrealDB to version 3.0.0-alpha.8 or later.