PT-2026-60959 · Surrealdb · Surrealdb

·

CVE-2025-71398

·

Published

2026-07-18

·

Updated

2026-07-18

CVSS v4.0

5.8

Medium

VectorAV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions SurrealDB versions prior to 2.2.2
Description Authenticated users can bypass deny-net restrictions in http functions due to a failure to validate HTTP redirects. By hosting a public server that redirects to blocked IP addresses, an attacker can perform server-side request forgery (SSRF)—a technique used to induce the server to make requests to an unintended location—to access internal endpoints and retrieve sensitive information.
Recommendations Update SurrealDB to version 2.2.2 or later.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-71398

Affected Products

Surrealdb