PT-2026-60951 · Surrealdb · Surrealdb

·

CVE-2025-71390

·

Published

2026-07-18

·

Updated

2026-07-18

CVSS v4.0

5.8

Medium

VectorAV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H
Name of the Vulnerable Software and Affected Versions SurrealDB versions prior to 2.2.6 SurrealDB versions prior to 2.3.6 SurrealDB versions prior to 2.1.8 SurrealDB versions prior to 3.0.0-alpha.8
Description An authenticated user can bypass network access restrictions in http::* functions. The software fails to validate DNS-resolved hostnames against the --deny-net restriction. By invoking http::<fn>(<url>) with a hostname that resolves to a denied IP address, the server issues the request and returns the response. This allows access to restricted internal endpoints, potentially leading to the retrieval or alteration of sensitive information and credentials.
Recommendations Update SurrealDB to version 2.2.6 or later. Update SurrealDB to version 2.3.6 or later. Update SurrealDB to version 2.1.8 or later. Update SurrealDB to version 3.0.0-alpha.8 or later.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-71390

Affected Products

Surrealdb