CVE-2025-71392
surrealdb · surrealdb
SurrealDB is vulnerable to a second-order command injection via the export command, where malicious table or field names can lead to arbitrary code execution during database import.
Executive summary
A critical command injection vulnerability in SurrealDB allows authenticated users to achieve root-level takeover of the database instance by injecting malicious SurrealQL into exported backups.
Vulnerability
The vulnerability is a command injection (CWE-77) occurring during the export process. Authenticated users with specific roles can inject malicious SurrealQL payloads into metadata, which then execute with elevated privileges when an administrator imports the backup file.
Business impact
This vulnerability enables a full root-level takeover of the SurrealDB instance if an administrator imports a compromised backup. This could lead to a total loss of confidentiality, integrity, and availability for the entire database cluster. Given the CVSS score of 9.4, it is a high-priority risk for any organization relying on SurrealDB for sensitive data storage.
Remediation
Immediate Action: Update SurrealDB to version 2.2.2, 2.1.5, or 2.0.5 respectively, depending on the version branch currently in use.
Proactive Monitoring: Audit database logs for the creation of tables or fields with irregular or suspicious names, and monitor administrative import activities.
Compensating Controls: Implement strict role-based access control (RBAC) to limit the creation of tables and fields to only the most trusted users, and perform security reviews of all database backup files before import.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Security teams should treat this vulnerability with high urgency. Ensure that all SurrealDB instances are updated to the latest patched versions and establish rigorous verification procedures for any database imports to prevent the execution of injected malicious commands.