CVE-2025-71397

SurrealDB · SurrealDB

SurrealDB is vulnerable to a CPU exhaustion attack due to an infinite loop flaw triggered by improper handling of nested for loops.

Executive summary

SurrealDB versions prior to 2.0.5, 2.1.5, and 2.2.2 contain an infinite loop vulnerability that can be exploited to cause significant CPU exhaustion.

Vulnerability

This vulnerability is an infinite loop flaw (CWE-835) that can be triggered by an authenticated user, causing the system to hang or become unresponsive due to excessive CPU usage.

Business impact

With a CVSS score of 7.1, this vulnerability poses a high risk to availability. An attacker can intentionally trigger the infinite loop to consume all available CPU resources, effectively taking the database offline and preventing legitimate users from accessing or modifying data.

Remediation

Immediate Action: Upgrade to version 2.0.5, 2.1.5, or 2.2.2 to resolve the loop logic error.

Proactive Monitoring: Review CPU utilization metrics and process logs for persistent high-load conditions that correspond with specific user queries.

Compensating Controls: Apply query execution timeouts to prevent runaway processes from consuming system resources indefinitely.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Immediate remediation is required to maintain system stability. Administrators should apply the provided updates as soon as possible to prevent potential service degradation and denial of service events.