CVE-2025-71390 PUBLISHED

SurrealDB before 2.3.6 deny-net Bypass via DNS Resolution

Assigner: VulnCheck
Reserved: 16.07.2026 Published: 18.07.2026 Updated: 18.07.2026

SurrealDB before 2.2.6, 2.3.6, and 2.1.8 (and 3.0.0-alpha.7 and earlier) fails to validate DNS-resolved hostnames against --deny-net network access restrictions in its http::* functions. An authenticated user can invoke http::<fn>(<url>) with a hostname that resolves to a denied IP address, causing the server to issue the request anyway and return the response. This bypasses network access controls, allowing access to restricted internal endpoints and potentially retrieving or altering sensitive information and credentials, depending on the deployment.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H
CVSS Score: 5.8

Product Status

Vendor surrealdb
Product surrealdb
Versions Default: unaffected
  • affected from 0 to 2.3.6, 2.2.6 (excl.)
  • Version 2.3.6, 2.2.6 is unaffected

Credits

  • manelmontilla reporter

References

Problem Types

  • Incorrect Authorization CWE