GHSA-3633-g6mg-p6qq

Source

https://github.com/advisories/GHSA-3633-g6mg-p6qq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3633-g6mg-p6qq/GHSA-3633-g6mg-p6qq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3633-g6mg-p6qq

Published

2025-04-11T14:08:03Z

Modified

2025-04-11T14:08:03Z

Severity

7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

SurrealDB memory exhaustion via string::replace using regex

Details

An authenticated user can craft a query using the string::replace function that uses a Regex to perform a string replacement. As there is a failure to restrict the resulting string length, this enables an attacker to send a string::replace function to the SurrealDB server exhausting all the memory of the server due to string allocations. This eventually results in a Denial-of-Service situation for the SurrealDB server.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53. Using CVSSv4 definitions, the severity is High.

Impact

An authenticated user can crash the SurrealDB instance through memory exhaustion

Patches

A patch has been created that enforces a limit on string length SURREAL_GENERATION_ALLOCATION_LIMIT

Versions 2.0.5, 2.1.5, 2.2.2, and later are not affected by this issue

Workarounds

Affected users who are unable to update may want to limit the ability of untrusted clients to run the string::replace function in the affected versions of SurrealDB using the --deny-functions flag described within Capabilities or the equivalent SURREAL_CAPS_DENY_FUNC environment variable.

References

SurrealQL Documentation - DB Functions (string::replace) SurrealDB Documentation - Capabilities SurrealDB Documentation - Environment Variables #5619 #5638

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-789"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-11T14:08:03Z"
}

References

Affected packages

crates.io / surrealdb

Package

Name: surrealdb; View open source insights on deps.dev
Purl: pkg:cargo/surrealdb

Affected ranges

Type: SEMVER
Events: Introduced

2.2.0

Fixed

2.2.2

crates.io / surrealdb

Package

Name: surrealdb; View open source insights on deps.dev
Purl: pkg:cargo/surrealdb

Affected ranges

Type: SEMVER
Events: Introduced

2.1.0

Fixed

2.1.5

crates.io / surrealdb

Package

Name: surrealdb; View open source insights on deps.dev
Purl: pkg:cargo/surrealdb

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.5