Server-side Request Forgery (SSRF) Affecting surrealdb-core package, versions <2.0.5>=2.1.0 <2.1.5>=2.2.0 <2.2.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-RUST-SURREALDBCORE-10079742
- published9 May 2025
- disclosed11 Apr 2025
- creditcure53
Introduced: 11 Apr 2025
CVE NOT AVAILABLE CWE-918 (opens in a new tab)How to fix?
Upgrade surrealdb-core to version 2.0.5, 2.1.5, 2.2.2 or higher.
Overview
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the http::* functions. An attacker can manipulate the server to access restricted network addresses by redirecting traffic to unauthorized IP addresses.
Note:
This is only exploitable if the server is configured with both --allow-net and specific --deny-net settings, allowing network connections except to a deny list.
Workaround
The possibility of this vulnerability being exploited can be reduced by following an allowlist approach to enabling the http capability surreal start --allow-net 10.0.0.0/8 or using the equivalent SURREAL_CAPS_ALLOW_NET environment variable, where endpoints allowed are fully trusted and are not controlled by regular users. The network access capability can be disabled, using --deny-net or the equivalent SURREAL_CAPS_DENY_NET environment variable without specifying targets, with impact to SurrealDB functionality.