logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-3633-g6mg-p6qq surrealdb

Package

Manager: cargo
Name: surrealdb
Vulnerable Version: >=2.2.0 <2.2.2 || >=2.1.0 <2.1.5 || >=0 <2.0.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

SurrealDB memory exhaustion via string::replace using regex An authenticated user can craft a query using the `string::replace` function that uses a Regex to perform a string replacement. As there is a failure to restrict the resulting string length, this enables an attacker to send a `string::replace` function to the SurrealDB server exhausting all the memory of the server due to string allocations. This eventually results in a Denial-of-Service situation for the SurrealDB server. This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53. Using CVSSv4 definitions, the severity is High. ### Impact An authenticated user can crash the SurrealDB instance through memory exhaustion ### Patches A patch has been created that enforces a limit on string length `SURREAL_GENERATION_ALLOCATION_LIMIT` - Versions 2.0.5, 2.1.5, 2.2.2, and later are not affected by this issue ### Workarounds Affected users who are unable to update may want to limit the ability of untrusted clients to run the `string::replace` function in the affected versions of SurrealDB using the `--deny-functions` flag described within [Capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities#functions) or the equivalent `SURREAL_CAPS_DENY_FUNC` environment variable. ### References [SurrealQL Documentation - DB Functions (string::replace)](https://surrealdb.com/docs/surrealql/functions/database/string#stringreplace) [SurrealDB Documentation - Capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities#functions) [SurrealDB Documentation - Environment Variables](https://surrealdb.com/docs/surrealdb/cli/env) [#5619 ](https://github.com/surrealdb/surrealdb/pull/5619) [#5638 ](https://github.com/surrealdb/surrealdb/pull/5638)

Metadata

Created: 2025-04-11T14:08:03Z
Modified: 2025-04-11T14:08:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3633-g6mg-p6qq/GHSA-3633-g6mg-p6qq.json
CWE IDs: ["CWE-789"]
Alternative ID: N/A
Finding: F184
Auto approve: 1