CVE-2025-71391

SurrealDB · surrealdb

SurrealDB is susceptible to a denial-of-service vulnerability via the SQL endpoint due to an uncaught exception, which can be triggered by authenticated users.

Executive summary

A denial-of-service vulnerability in SurrealDB versions prior to the 2.0.5, 2.1.5, and 2.2.2 branches allows authenticated users to crash the service via the SQL endpoint.

Vulnerability

This vulnerability is categorized as an uncaught exception (CWE-248), which leads to a denial-of-service condition when specific inputs are sent to the SQL endpoint. The flaw requires an authenticated user with low privileges to trigger the service crash.

Business impact

Successful exploitation results in the unavailability of the SurrealDB service, causing potential system downtime and disruption to dependent applications. With a CVSS score of 7.1, this represents a significant threat to service availability and operational continuity.

Remediation

Immediate Action: Update SurrealDB to the patched versions: 2.0.5, 2.1.5, or 2.2.2, depending on the current branch in use.

Proactive Monitoring: Monitor server health and application logs for unexpected service restarts or crash-related error messages originating from the SQL endpoint.

Compensating Controls: Implement rate limiting or request validation on the SQL endpoint to prevent malicious inputs from reaching the vulnerable code path.

Exploitation status

Public Exploit Available: No (exploit_available: unknown)

Analyst recommendation

To ensure service stability, it is imperative to apply the provided vendor updates immediately. Organizations relying on SurrealDB for critical operations should prioritize this update to prevent potential service disruptions caused by this denial-of-service flaw.