HTTP Redirect Bypass in SurrealDB Affects User Authentication Security
CVE-2025-71398
5.8MEDIUM
What is CVE-2025-71398?
SurrealDB versions prior to 2.2.2 have a critical flaw where the system does not properly validate HTTP redirects in its HTTP functions. This vulnerability allows authenticated users to bypass set deny-net restrictions, as they can redirect requests to blocked IP addresses. As a result, attackers can exploit this weakness by setting up a public server that can redirect users to blocked network targets. This enables server-side request forgery (SSRF), potentially allowing unauthorized access to sensitive internal endpoints and data. Remediation is crucial to protect sensitive information and maintain network security.
Affected Version(s)
surrealdb 0 < 2.2.2
surrealdb 0 < 2.1.5
surrealdb 0 < 2.0.5
