CVE-2025-71395
SurrealDB · SurrealDB
SurrealDB is susceptible to a memory exhaustion vulnerability caused by improper handling of excessive size values in string operations.
Executive summary
SurrealDB versions prior to 2.0.5, 2.1.5, and 2.2.2 are vulnerable to a memory exhaustion attack that can lead to service disruption.
Vulnerability
This vulnerability is a memory allocation flaw (CWE-789) that allows an authenticated user to trigger excessive memory consumption via specific string replacement operations, leading to potential denial of service.
Business impact
The vulnerability carries a CVSS score of 7.1, reflecting its potential to cause significant service unavailability. Successful exploitation allows an attacker to exhaust system resources, resulting in application crashes and downtime, which can disrupt critical business operations reliant on the database.
Remediation
Immediate Action: Update SurrealDB to version 2.0.5, 2.1.5, or 2.2.2 depending on your current deployment branch.
Proactive Monitoring: Monitor server memory usage and database process logs for sudden, unexplained spikes or service restarts that may indicate resource exhaustion attempts.
Compensating Controls: Implement resource quotas or rate limiting for database requests to restrict the volume of complex operations a single user can perform.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the high severity of this vulnerability, administrators should prioritize updating to the patched versions immediately. Failure to address this flaw leaves the database infrastructure exposed to denial of service attacks that could severely impact system reliability.