CVE-2025-71397
SurrealDB · SurrealDB
SurrealDB is vulnerable to a CPU exhaustion attack due to an infinite loop flaw triggered by improper handling of nested for loops.
Executive summary
SurrealDB versions prior to 2.0.5, 2.1.5, and 2.2.2 contain an infinite loop vulnerability that can be exploited to cause significant CPU exhaustion.
Vulnerability
This vulnerability is an infinite loop flaw (CWE-835) that can be triggered by an authenticated user, causing the system to hang or become unresponsive due to excessive CPU usage.
Business impact
With a CVSS score of 7.1, this vulnerability poses a high risk to availability. An attacker can intentionally trigger the infinite loop to consume all available CPU resources, effectively taking the database offline and preventing legitimate users from accessing or modifying data.
Remediation
Immediate Action: Upgrade to version 2.0.5, 2.1.5, or 2.2.2 to resolve the loop logic error.
Proactive Monitoring: Review CPU utilization metrics and process logs for persistent high-load conditions that correspond with specific user queries.
Compensating Controls: Apply query execution timeouts to prevent runaway processes from consuming system resources indefinitely.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Immediate remediation is required to maintain system stability. Administrators should apply the provided updates as soon as possible to prevent potential service degradation and denial of service events.