CVE-2024-58368
SurrealDB · SurrealDB
SurrealDB versions prior to 1.1.0 are susceptible to a denial of service vulnerability caused by an uncaught exception during HTTP header processing.
Executive summary
A denial of service vulnerability in SurrealDB allows unauthenticated attackers to crash the service via specially crafted HTTP headers.
Vulnerability
The application is vulnerable to an uncaught exception (CWE-248) when processing specific HTTP headers. This flaw is exploitable by unauthenticated remote attackers.
Business impact
Successful exploitation results in service unavailability, which directly impacts business continuity for applications relying on the database. With a CVSS score of 7.5, this high severity vulnerability poses a significant risk to system uptime and stability if left unpatched.
Remediation
Immediate Action: Update SurrealDB to version 1.1.0 or later to include the necessary exception handling fixes.
Proactive Monitoring: Monitor server logs and service health metrics for unexpected restarts or crashes that may indicate exploitation attempts.
Compensating Controls: Deploy a Web Application Firewall (WAF) to filter and sanitize incoming HTTP headers, blocking requests that exhibit anomalous patterns or malformed structures.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the high impact on service availability, organizations should prioritize upgrading their SurrealDB instances to version 1.1.0 immediately. Ensuring the database remains stable and resilient against remote crashes is critical for maintaining overall infrastructure integrity.