logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-rq86-9m6r-cm3g surrealdb

Package

Manager: cargo
Name: surrealdb
Vulnerable Version: >=2.2.0 <2.2.2 || >=2.1.0 <2.1.5 || >=0 <2.0.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

SurrealDB has uncaught exception in Net module that leads to database crash A vulnerability was found where an attacker can crash the database via crafting a HTTP query that returns a null byte. The problem relies on an uncaught exception in the `net` module, where the result of the query will be converted to JSON before showing as the HTTP response to the user in the **/sql** endpoint. ### Impact This vulnerability allows any authenticated user to crash a SurrealDB instance by sending a crafted query with a null byte to the /sql endpoint. Where SurrealDB is used as an application backend, it is possible that an application user can crash the SurrealDB instance and thus the supported application through crafted inputs that exploit this attack vector. ### Patches A patch has been introduced that ensures the error is caught and converted as an error. - Versions 2.2.2, 2.1.5 and 2.0.5 and later are not affected by this isssue ### Workarounds Affected users who are unable to update may want to limit the ability of untrusted clients to run arbitrary queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash. Where SurrealDB is used as an application backend, ensure sanitisation of input at the application layer to prevent injection attacks. ### References https://github.com/surrealdb/surrealdb/pull/5647

Metadata

Created: 2025-04-10T21:05:34Z
Modified: 2025-04-10T21:05:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-rq86-9m6r-cm3g/GHSA-rq86-9m6r-cm3g.json
CWE IDs: ["CWE-248"]
Alternative ID: N/A
Finding: F140
Auto approve: 1