HTTP Redirect Bypass in SurrealDB Affects User Authentication Security
CVE-2025-71398

5.8MEDIUM

Key Information:

Vendor

Surrealdb

Status
Vendor
CVE Published:
18 July 2026

What is CVE-2025-71398?

SurrealDB versions prior to 2.2.2 have a critical flaw where the system does not properly validate HTTP redirects in its HTTP functions. This vulnerability allows authenticated users to bypass set deny-net restrictions, as they can redirect requests to blocked IP addresses. As a result, attackers can exploit this weakness by setting up a public server that can redirect users to blocked network targets. This enables server-side request forgery (SSRF), potentially allowing unauthorized access to sensitive internal endpoints and data. Remediation is crucial to protect sensitive information and maintain network security.

Affected Version(s)

surrealdb 0 < 2.2.2

surrealdb 0 < 2.1.5

surrealdb 0 < 2.0.5

References

CVSS V4

Score:
5.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

cure53
.