CVE-2025-71395

SurrealDB · SurrealDB

SurrealDB is susceptible to a memory exhaustion vulnerability caused by improper handling of excessive size values in string operations.

Executive summary

SurrealDB versions prior to 2.0.5, 2.1.5, and 2.2.2 are vulnerable to a memory exhaustion attack that can lead to service disruption.

Vulnerability

This vulnerability is a memory allocation flaw (CWE-789) that allows an authenticated user to trigger excessive memory consumption via specific string replacement operations, leading to potential denial of service.

Business impact

The vulnerability carries a CVSS score of 7.1, reflecting its potential to cause significant service unavailability. Successful exploitation allows an attacker to exhaust system resources, resulting in application crashes and downtime, which can disrupt critical business operations reliant on the database.

Remediation

Immediate Action: Update SurrealDB to version 2.0.5, 2.1.5, or 2.2.2 depending on your current deployment branch.

Proactive Monitoring: Monitor server memory usage and database process logs for sudden, unexplained spikes or service restarts that may indicate resource exhaustion attempts.

Compensating Controls: Implement resource quotas or rate limiting for database requests to restrict the volume of complex operations a single user can perform.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the high severity of this vulnerability, administrators should prioritize updating to the patched versions immediately. Failure to address this flaw leaves the database infrastructure exposed to denial of service attacks that could severely impact system reliability.