GHSA-3v2x-9xcv-2v2v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3v2x-9xcv-2v2v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-3v2x-9xcv-2v2v/GHSA-3v2x-9xcv-2v2v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3v2x-9xcv-2v2v
- Published
- 2026-01-22T18:06:15Z
- Modified
- 2026-02-03T03:04:34.340779Z
- Severity
-
- 7.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- SurrealDB Affected by Confused Deputy Privilege Escalation through Future Fields and Functions
- Details
-
Unprivileged users (for example, those with the database editor role) can create or modify fields in records that contain functions or
futures.Futuresare values which are only computed when the value is queried. The query executes in the context of the querying user, rather than the user who originally defined the future. Likewise, fields containing functions or custom-defined logic (closures) are executed under the privileges of the invoking user, not the creator.This results in a confused deputy vulnerability: an attacker with limited privileges can define a malicious function or future field that performs privileged actions. When a higher-privileged user (such as a root owner or namespace administrator) executes the function or queries or modifies that record, the function executes with their elevated permissions.
Impact
An attacker who can create or update function/future fields can plant logic that executes with a privileged user’s context. If a privileged user performs a write that touches the malicious field, the attacker can achieve full privilege escalation (e.g., create a root owner and take over the server).
If a privileged user performs a read action on the malicious field, this attack vector could still be potentially be used to perform limited denial of service or, in the specific case where the network capability was explicitly enabled and unrestricted, exfiltrate database information over the network.
Patches
Versions prior to 2.5.0 and 3.0.0-beta.3 are vulnerable.
For SurrealDB 3.0,
futuresare no longer supported, replaced bycomputedfields, only available within schemaful tables.Further to this patches for 2.5.0 and 3.0.0-beta.3: - Implements an
auth_limiton defined apis, functions, fields and events, that limits execution to the permissions of the creating user or the invoking user, whichever is lower. - Preventsclosuresfrom being stored, that eliminates a potential attack surface. For 2.5.0 this can still be allowed by using theinsecure_storable_closurescapability - Ensures the proper auth level is used to compute expressions in signin & signupFor existing apis, events, fields and functions defined prior to upgrading to 2.5.0 or 3.0.0-beta.3
auth_limitwill not apply, to avoid breaking changes. These will need to subsequently be redefined so thatauth_limitcan take effect.Workarounds
Users unable to patch are advised to evaluate their use of the database to identify where low privileged users are able to define logic subsequently executed by privileged users, such as apis, functions, futures fields and events, and recommended to minimise these instances.
References
- Database specific
{ "cwe_ids": [ "CWE-441" ], "severity": "HIGH", "nvd_published_at": null, "github_reviewed_at": "2026-01-22T18:06:15Z", "github_reviewed": true }- References
-
- https://github.com/surrealdb/surrealdb/security/advisories/GHSA-3v2x-9xcv-2v2v
- https://github.com/surrealdb/surrealdb/commit/f515c91363ee735aa1bc08580d9e7fa0de6e736f
- https://github.com/surrealdb/surrealdb
- https://github.com/surrealdb/surrealdb/releases/tag/v2.5.0
- https://github.com/surrealdb/surrealdb/releases/tag/v3.0.0-beta.2
Affected packages
crates.io / surrealdb
Package
- Name
- surrealdb
- View open source insights on deps.dev
- Purl
- pkg:cargo/surrealdb
crates.io / surrealdb
Package
- Name
- surrealdb
- View open source insights on deps.dev
- Purl
- pkg:cargo/surrealdb