CVE-2025-71398

Published Jul 18, 2026 CWE-918

Description

SurrealDB before 2.2.2 fails to validate HTTP redirects in http functions, allowing authenticated users to bypass deny-net restrictions by redirecting to blocked IP addresses. Attackers can host a public server that redirects to denied network targets, enabling server-side request forgery to access internal endpoints and retrieve sensitive information.

Is your site exposed to CVE-2025-71398?

Run a free security scan — no signup, results in seconds.

Weakness Type (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

References

Frequently Asked Questions

What is CVE-2025-71398? +
SurrealDB before 2.2.2 fails to validate HTTP redirects in http functions, allowing authenticated users to bypass deny-net restrictions by redirecting to blocked IP addresses. Attackers can host a public server that redirects to denied network targets, enabling server-side request forgery to access internal endpoints and retrieve sensitive information.
How do I check if I'm vulnerable to CVE-2025-71398? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2025-71398 — free, no signup required.