logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-m7rc-8w7m-r9qr surrealdb

Package

Manager: cargo
Name: surrealdb
Vulnerable Version: >=2.2.0 <2.2.2 || >=2.1.0 <2.1.5 || >=0 <2.0.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

SurrealDB vulnerable to memory exhaustion via nested functions and scripts In order to prevent DoS situations due to infinite recursions, SurrealDB implements a limit of nested calls for both native functions and embedded JavaScript functions. However, in SurrealDB instances with embedded scripting functions enabled, it was found that this limit can be circumvented by utilizing both at the same time. If a native function contains JavaScript which issues a new query that calls that function, the recursion limit is not triggered. Once executed, SurrealDB will follow the path of infinite recursions until the system runs out of memory, prior to the recursion limit being triggered. This vulnerability can only affect SurrealDB servers explicitly enabling the scripting capability with `--allow-scripting` or `--allow-all` and equivalent environment variables `SURREAL_CAPS_ALLOW_SCRIPT=true` and `SURREAL_CAPS_ALLOW_ALL=true`. This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53's preliminary finding is Medium, matched by our CVSS v4 assessment. ### Impact For SurrealDB instances with embedded scripting functions enabled, this attack could be used to perform a DoS attack on the server by an authenticated user. ### Patches A patch has been created that further limits scripting function call limit recursion depth and disallows multiple calls to `surreadb.query()` to run in parallel in a scripting function. - Versions 2.0.5, 2.1.5, 2.2.2 and later are not affected by this issue. ### Workarounds Deny execution of embedded scripting functions through the configuration of [capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities#capabilities) by starting SurrealDB with the `--deny-scripting` flag or the equivalent environment variable `SURREAL_CAPS_DENY_SCRIPT=true`. This has a usability implication, although scripting functions are disabled by default. ### References [SurrealDB Documentation - Capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities) [SurrealQL Documentation - Scripting Functions](https://surrealdb.com/docs/surrealql/functions/script)

Metadata

Created: 2025-04-10T21:07:44Z
Modified: 2025-04-10T21:08:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-m7rc-8w7m-r9qr/GHSA-m7rc-8w7m-r9qr.json
CWE IDs: ["CWE-674"]
Alternative ID: N/A
Finding: F067
Auto approve: 1