logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-3824-qmfq-2qv7 surrealdb

Package

Manager: cargo
Name: surrealdb
Vulnerable Version: >=2.2.0 <2.2.2 || >=0 <2.0.5 || >=2.1.0 <2.1.5

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

SurrealDB no JavaScript script function default timeout could facilitate DoS Through enabling the scripting capability. SurrealDB allows for advanced functions with complicated logic, by allowing embedded functions to be written in JavaScript. These functions are bounded for memory and stack size, but not in time. An attacker could launch a number of long running functions that could potentially facilitate a Denial Of Service attack. This vulnerability can only affect SurrealDB servers explicitly enabling the scripting capability with `--allow-scripting` or `--allow-all` and equivalent environment variables `SURREAL_CAPS_ALLOW_SCRIPT=true` and `SURREAL_CAPS_ALLOW_ALL=true`. This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53's preliminary finding is Low, matched by our CVSS v4 assessment. ### Impact An attacker can use the scripting capabilities of SurrealDB to run a series of long running functions to facilitate a Denial Of Service attack. ### Patches A default timeout for the scripting functions has been implemented with a configurable `SURREAL_SCRIPTING_MAX_TIME_LIMIT` environment variable - Versions 2.0.5, 2.1.5, 2.2.2 and later are not affected by this issue. ### Workarounds For users that cannot upgrade. Deny execution of embedded scripting functions through the configuration of [capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities#capabilities) by starting SurrealDB with the `--deny-scripting` flag or the equivalent environment variable `SURREAL_CAPS_DENY_SCRIPT=true`. This has a usability implication, although scripting functions are disabled by default. ### References [5597](https://github.com/surrealdb/surrealdb/pull/5597) [SurrealDB Documentation - Capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities) [SurrealQL Documentation - Scripting Functions](https://surrealdb.com/docs/surrealql/functions/script)

Metadata

Created: 2025-04-11T14:08:45Z
Modified: 2025-04-11T14:08:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3824-qmfq-2qv7/GHSA-3824-qmfq-2qv7.json
CWE IDs: ["CWE-770"]
Alternative ID: N/A
Finding: F002
Auto approve: 1