GHSA-3824-qmfq-2qv7

Source

https://github.com/advisories/GHSA-3824-qmfq-2qv7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3824-qmfq-2qv7/GHSA-3824-qmfq-2qv7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3824-qmfq-2qv7

Published

2025-04-11T14:08:45Z

Modified

2025-04-11T14:08:45Z

Severity

2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

SurrealDB no JavaScript script function default timeout could facilitate DoS

Details

Through enabling the scripting capability. SurrealDB allows for advanced functions with complicated logic, by allowing embedded functions to be written in JavaScript.

These functions are bounded for memory and stack size, but not in time. An attacker could launch a number of long running functions that could potentially facilitate a Denial Of Service attack.

This vulnerability can only affect SurrealDB servers explicitly enabling the scripting capability with --allow-scripting or --allow-all and equivalent environment variables SURREAL_CAPS_ALLOW_SCRIPT=true and SURREAL_CAPS_ALLOW_ALL=true.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53's preliminary finding is Low, matched by our CVSS v4 assessment.

Impact

An attacker can use the scripting capabilities of SurrealDB to run a series of long running functions to facilitate a Denial Of Service attack.

Patches

A default timeout for the scripting functions has been implemented with a configurable SURREAL_SCRIPTING_MAX_TIME_LIMIT environment variable

Versions 2.0.5, 2.1.5, 2.2.2 and later are not affected by this issue.

Workarounds

For users that cannot upgrade. Deny execution of embedded scripting functions through the configuration of capabilities by starting SurrealDB with the --deny-scripting flag or the equivalent environment variable SURREAL_CAPS_DENY_SCRIPT=true. This has a usability implication, although scripting functions are disabled by default.

References

5597 SurrealDB Documentation - Capabilities SurrealQL Documentation - Scripting Functions

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-770"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-11T14:08:45Z"
}

References

Affected packages

crates.io / surrealdb

Package

Name: surrealdb; View open source insights on deps.dev
Purl: pkg:cargo/surrealdb

Affected ranges

Type: SEMVER
Events: Introduced

2.2.0

Fixed

2.2.2

crates.io / surrealdb

Package

Name: surrealdb; View open source insights on deps.dev
Purl: pkg:cargo/surrealdb

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.5