PT-2026-60959 · Surrealdb · Surrealdb
CVSS v4.0
5.8
Medium
| Vector | AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
SurrealDB versions prior to 2.2.2
Description
Authenticated users can bypass deny-net restrictions in http functions due to a failure to validate HTTP redirects. By hosting a public server that redirects to blocked IP addresses, an attacker can perform server-side request forgery (SSRF)—a technique used to induce the server to make requests to an unintended location—to access internal endpoints and retrieve sensitive information.
Recommendations
Update SurrealDB to version 2.2.2 or later.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Surrealdb