GHSA-3633-G6MG-P6QQ

Vulnerability from github – Published: 2025-04-11 14:08 – Updated: 2025-04-11 14:08
VLAI
Summary
SurrealDB memory exhaustion via string::replace using regex
Details

An authenticated user can craft a query using the string::replace function that uses a Regex to perform a string replacement. As there is a failure to restrict the resulting string length, this enables an attacker to send a string::replace function to the SurrealDB server exhausting all the memory of the server due to string allocations. This eventually results in a Denial-of-Service situation for the SurrealDB server.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53. Using CVSSv4 definitions, the severity is High.

Impact

An authenticated user can crash the SurrealDB instance through memory exhaustion

Patches

A patch has been created that enforces a limit on string length SURREAL_GENERATION_ALLOCATION_LIMIT

  • Versions 2.0.5, 2.1.5, 2.2.2, and later are not affected by this issue

Workarounds

Affected users who are unable to update may want to limit the ability of untrusted clients to run the string::replace function in the affected versions of SurrealDB using the --deny-functions flag described within Capabilities or the equivalent SURREAL_CAPS_DENY_FUNC environment variable.

References

SurrealQL Documentation - DB Functions (string::replace) SurrealDB Documentation - Capabilities SurrealDB Documentation - Environment Variables #5619 #5638

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-789"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-11T14:08:03Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "An authenticated user can craft a query using the `string::replace` function that uses a Regex to perform a string replacement. As there is a failure to restrict the resulting string length, this enables an attacker to send a `string::replace` function to the SurrealDB server exhausting all the memory of the server due to string allocations. This eventually results in a Denial-of-Service situation for the SurrealDB server.\n\nThis issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53. Using CVSSv4 definitions, the severity is High. \n\n### Impact\nAn authenticated user can crash the SurrealDB instance through memory exhaustion\n\n### Patches\nA patch has been created that enforces a limit on string length  `SURREAL_GENERATION_ALLOCATION_LIMIT`\n\n- Versions 2.0.5, 2.1.5, 2.2.2, and later are not affected by this issue\n\n### Workarounds\nAffected users who are unable to update may want to limit the ability of untrusted clients to run the `string::replace` function in the affected versions of SurrealDB using the `--deny-functions` flag described within [Capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities#functions) or the equivalent `SURREAL_CAPS_DENY_FUNC` environment variable.\n\n### References\n\n[SurrealQL Documentation - DB Functions (string::replace)](https://surrealdb.com/docs/surrealql/functions/database/string#stringreplace)\n[SurrealDB Documentation - Capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities#functions)\n[SurrealDB Documentation - Environment Variables](https://surrealdb.com/docs/surrealdb/cli/env)\n[#5619 ](https://github.com/surrealdb/surrealdb/pull/5619)\n[#5638 ](https://github.com/surrealdb/surrealdb/pull/5638)",
  "id": "GHSA-3633-g6mg-p6qq",
  "modified": "2025-04-11T14:08:03Z",
  "published": "2025-04-11T14:08:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-3633-g6mg-p6qq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/pull/5619"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/pull/5638"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SurrealDB memory exhaustion via string::replace using regex "
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…