GHSA-H5RG-8P7F-47G2: GHSA-h5rg-8p7f-47g2: Server-Side Request Forgery (SSRF) in SurrealDB Identity & Access Management (IAM) JWKS Fetcher

#security #cve #cybersecurity #ghsa

GHSA-h5rg-8p7f-47g2: Server-Side Request Forgery (SSRF) in SurrealDB Identity & Access Management (IAM) JWKS Fetcher

Vulnerability ID: GHSA-H5RG-8P7F-47G2
CVSS Score: 4.1
Published: 2026-06-19

A Server-Side Request Forgery (SSRF) vulnerability exists in SurrealDB's Identity & Access Management (IAM) module prior to version 3.1.5. When configuring JSON Web Key Set (JWKS) URLs for token verification, the remote fetcher follows HTTP redirects by default without validating redirect targets against configured network capabilities. This allows high-privileged users to bypass network access limits and perform blind port scanning of internal network resources.

TL;DR

High-privileged users can exploit automatic HTTP redirect following in SurrealDB's JWKS fetcher to bypass egress restrictions and perform blind SSRF against internal resources.

Technical Details

CWE ID: CWE-918
Attack Vector: Network
CVSS v3.1 Score: 4.1
Exploit Status: none
KEV Status: Not Listed

Affected Systems

SurrealDB
SurrealDB: < 3.1.5 (Fixed in: 3.1.5)

Mitigation Strategies

Upgrade SurrealDB to version 3.1.5 or higher
Restrict database 'Owner' roles and administrative privileges
Implement infrastructure-level egress firewall rules
Use static local cryptographic keys in ACCESS configurations

Remediation Steps:

Identify all running instances of SurrealDB and verify their running versions.
Upgrade the instances to version 3.1.5 or newer to ensure the custom redirect policy is enforced in the IAM module.
Configure firewall or security group rules to block egress connections to 127.0.0.1, 169.254.169.254, and RFC 1918 private subnets from the database hosts.