GHSA-5q9x-554g-9jgg: SurrealDB bypass of deny-net flags via redirect results in server-side request forgery (SSRF)

SurrealDB offers http functions that can access external network endpoints. A typical, albeit not recommended configuration would be to start SurrealDB with all network connections allowed with the exception of a deny list. For example, surreal start --allow-net --deny-net 10.0.0.0/8 will allow all network connections except to the 10.0.0.0/8 block.

An authenticated user of SurrealDB can use redirects to bypass this restriction. For example by hosting a server on the public internet which redirects to the IP addresses blocked by the administrator of the SurrealDB server via HTTP 301 or 307 response codes.

When sending SurrealDB statements containing the http::* functions to the attacker controlled host, the SurrealDB server will follow the redirects to the blocked IP address. Because the statements also return the responses to the attacker, this issue constitutes a full SSRF vulnerability.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity as defined within cure53’s preliminary finding is Medium, matched by our CVSS v4 assessment.