CVE Catalog
Browse the latest Common Vulnerabilities and Exposures (CVEs) with CVSS scores, affected products, and next-gen risk scores.
Sipeed PicoClaw Missing Authorization Vulnerability in Feishu Group Message Handler
A vulnerability allowing for missing authorization has been identified in Sipeed PicoClaw versions through 0.2.9. The issue arises in the Group Message Handler, specifically within the handleMessageReceive function of the feishu_64.go file. This vulnerability can be exploited remotely, allowing an attacker to manipulate message context and bypass authorization checks.
Sipeed PicoClaw Server-Side Request Forgery Vulnerability in Web Fetch Component
A server-side request forgery (SSRF) vulnerability has been identified in Sipeed PicoClaw versions through 0.2.9. The issue resides in the 'isPrivateOrRestrictedIP' function within 'pkg/tools/integration/web.go', specifically in the 'web_fetch' component. The vulnerability arises because the IP restriction logic fails to block special-use IPv4 addresses, such as '198.18.0.0/15', which should be considered restricted. This oversight allows an attacker to bypass the application's network egress policy and access internal resources via the 'web_fetch' tool.
zhayujie CowAgent Server-Side Request Forgery Vulnerability in Web Fetch Tool
A server-side request forgery (SSRF) vulnerability has been identified in zhayujie CowAgent versions through 2.1.1. The issue resides in the WebFetch tool, specifically within the execute function of web_fetch.py. The vulnerability allows for manipulation of the 'url' argument, enabling requests to internal or special-use HTTP destinations. This flaw can be exploited remotely, potentially leading to unauthorized access to internal services or metadata endpoints. The vulnerability has been publicly disclosed and exploited, but has been patched in version 2.1.2.
SourceCodester Class and Exam Timetabling System Cross-Site Scripting Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Class and Exam Timetabling System version 1.0. The issue resides in the '/forexam.php' file, where the 'day' parameter is not properly validated or encoded, allowing remote attackers to inject and execute malicious scripts in the context of the user's browser. This vulnerability could be exploited to steal cookies, session tokens, or other sensitive information, perform actions on behalf of the user, deface web pages, redirect users to malicious sites, or gain control of the user's browser.
Flow Payment Plugin for WordPress Reflected Cross-Site Scripting Vulnerability
A reflected cross-site scripting vulnerability has been identified in the Flow Payment plugin for WordPress, specifically in version 3.0.8. The issue occurs on the WooCommerce checkout page, where the plugin improperly handles the error_message GET parameter during order cancellations. This parameter is passed directly to the wc_add_notice() function without adequate input sanitization or output escaping, leaving it vulnerable to JavaScript payloads. An unauthenticated attacker can exploit this by crafting a URL with a malicious payload in the error_message parameter. When a victim with an active WooCommerce checkout session clicks the link, the payload executes in their browser, originating from the WordPress site.
SourceCodester Class and Exam Timetabling System Cross-Site Scripting Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Class and Exam Timetabling System version 1.0. The issue arises in the file '/schoolyr.php', where the 'sy' parameter is not properly validated or encoded, allowing attackers to inject malicious scripts. This vulnerability can be exploited remotely, with public proof-of-concept available.
SourceCodester Class and Exam Timetabling System SQL Injection Vulnerability
A SQL injection vulnerability has been identified in the SourceCodester Class and Exam Timetabling System, specifically in version 1.0. The issue arises in the file '/edit_room1.php', where the 'id' parameter is manipulated to inject malicious SQL queries. This vulnerability can be exploited remotely, without any authentication.
SourceCodester Class and Exam Timetabling System SQL Injection Vulnerability in edit_rooma.php
A SQL injection vulnerability exists in the SourceCodester Class and Exam Timetabling System version 1.0, specifically within the edit_rooma.php file. The vulnerability arises from inadequate validation of the 'id' parameter, allowing remote attackers to inject malicious SQL queries. This exploitation could lead to unauthorized database access, data manipulation, and leakage of sensitive information.
parisneo Lollms Stored Cross-Site Scripting Vulnerability in Prompt Sharing
A stored cross-site scripting vulnerability has been identified in the latest version of parisneo Lollms, specifically within the POST /api/prompts/share endpoint. This vulnerability arises because the endpoint allows attacker-controlled prompt content to be stored in the DBDirectMessage.content field without any server-side sanitization. When a victim accesses the direct message thread, the content is rendered by the DM user interface using MessageContentRenderer, which employs v-html to insert HTML into the DOM. The frontend sanitizer, based on regular expressions, fails to adequately cleanse attacker-controlled HTML, permitting malicious payloads to execute in the context of the victim's browser. As a result, any authenticated user can send a harmful prompt-sharing message to another user's inbox, leading to the execution of arbitrary JavaScript, authenticated actions on behalf of the victim, exposure of same-origin application data, and potential account takeover.
Stoat for Android Improper URI Validation in Exported ShareTargetActivity Component Leading to Internal File Disclosure
A vulnerability in Stoat for Android versions prior to 1.6.0 allows for improper validation of URIs in an exported activity. The ShareTargetActivity component, accessible to any process on the device via the SEND intent, accepts file URIs pointing to the application's internal storage, such as databases, cached authentication tokens, or preferences. This lack of validation enables an attacker to exploit the activity, causing the victim to unintentionally share sensitive internal files as attachments in Stoat channels or with specific users. The shared files could include the local Stoat database, authentication tokens for account takeover, or any other file readable by the app process.
ProFTPD Heap-Based Buffer Overflow Vulnerability in SFTP Module Allowing Denial-of-Service
A heap-based buffer overflow vulnerability has been identified in the ProFTPD SFTP module (mod_sftp) versions prior to 1.3.10. This vulnerability is accessible to authenticated SFTP users and is caused by the fxp_packet_read() function, which improperly handles the 32-bit big-endian SFTP packet length. The lack of a minimum sanity check allows an attacker to craft a packet that triggers an unsigned integer underflow, leading to a request size of approximately 4 GB. This oversized request is mismanaged by the memory allocator, causing a small block to be allocated while the caller is misled into believing a much larger size was received. Exploitation involves sending a malformed SFTP packet with a length of 0, followed by a body exceeding 544 bytes, which results in a controlled buffer overflow on the heap.
CartoDB Carto-Api-Client Prototype Pollution Vulnerability in AddFilter Function
A prototype pollution vulnerability has been identified in CartoDB's carto-api-client version 0.5.29. The issue arises in the addFilter function within src/filters.ts, where improper handling of the column argument allows for unauthorized modification of object prototype properties. This vulnerability can be exploited remotely.
RobinHerbots Inputmask Prototype Pollution Vulnerability in Internal Deep Merge Helper
A prototype pollution vulnerability has been identified in RobinHerbots Inputmask versions through 5.0.9. The issue arises in the internal deep merge helper function, which is part of the library's dependency management. The vulnerability allows for uncontrolled modification of object prototype attributes, potentially leading to malicious exploitation from remote sources.
LiuMengxuan04 MiniCode Command Injection Vulnerability
A command injection vulnerability has been identified in LiuMengxuan04 MiniCode version 0.1.0. The issue arises in the 'mcp.ts' file, specifically within the 'child_process.spawn' function. This vulnerability allows for remote code execution by injecting malicious commands that are executed in the context of the user's environment. Exploitation of this vulnerability is complex and appears to be challenging, but a proof-of-concept exploit has been published and could be used.
itsourcecode Hospital Management System SQL Injection Vulnerability in prescriptionrecord.php
A SQL injection vulnerability has been identified in the itsourcecode Hospital Management System version 1.0. The issue resides in the prescriptionrecord.php file, where the delid parameter is not properly sanitized, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, potentially leading to unauthorized database access, data manipulation, and disruption of service.
NearAI IronClaw Symlink Vulnerability in Write File Tool Allows Arbitrary File Writes
A vulnerability in NearAI IronClaw versions through 0.29.1 allows the built-in 'write_file' tool to write files outside of its designated sandbox. This occurs when the specified path is a dangling symlink pointing to a location beyond the sandbox boundary. The path validation process fails to resolve the symlink correctly, leading to an unauthorized write. The issue requires local access to exploit and has a public exploit available.
princezuda SafestClaw Shell Command Allowlist Bypass Vulnerability
A command-execution policy bypass vulnerability has been identified in princezuda SafestClaw versions through 4.2.4. The issue resides in the built-in web interface's shell action, specifically within the command validation function. The vulnerability allows local execution of denied commands by exploiting an incomplete allowlist. When a command is sent through the web interface, the parser extracts it and forwards it to the shell action without proper validation of the effective executable. This oversight enables the invocation of blocked interpreters, such as bash, by wrapping them in approved commands like 'env'. As a result, the bypassed command executes with the same privileges as the SafestClaw process, potentially accessing sensitive files, environment variables, and network resources.
Zevorn RT-Claw Server-Side Request Forgery Vulnerability
A server-side request forgery (SSRF) vulnerability has been identified in Zevorn RT-Claw versions through 0.2.0. The issue resides in the 'receiver_thread' function within 'claw/services/swarm/swarm.c', specifically related to the 'http_request' component. This vulnerability allows remote attackers to manipulate requests that the server processes, potentially accessing internal resources or loopback addresses.
Zevorn RT-Claw Server-Side Request Forgery Vulnerability in HTTP Request Tool
A server-side request forgery (SSRF) vulnerability has been identified in Zevorn RT-Claw versions through 0.2.0. The issue arises in the 'http_request' tool, specifically within the 'claw/tools/tool_net.c' file. The vulnerability allows remote attackers to manipulate the 'url' argument, leading to unauthorized HTTP requests being sent to internal or private network addresses. This could expose sensitive information from loopback or private services.
Zevorn rt-claw Swarm RPC Receiver Incorrect Authorization Vulnerability
An authorization bypass vulnerability has been identified in the Zevorn rt-claw application, specifically in versions up to 0.2.0. The issue resides in the Swarm RPC Receiver component, within the handle_rpc_request function of the file claw/services/swarm/swarm.c. This vulnerability allows remote invocation of tools marked as local-only, bypassing intended authorization checks. The flaw has been publicly disclosed and is present in unreleased commits after v0.2.0, including the verified vulnerable commit 36d128f72afa0b9d40a21bcd6069b0c193a58f82.
Zevorn rt-claw Server-Side Request Forgery Vulnerability in http_request Tool
A server-side request forgery (SSRF) vulnerability has been identified in Zevorn rt-claw versions through 0.2.0. The issue arises in the http_request component, specifically within the claw_net_get and claw_net_post functions in claw/services/tools/net.c. The vulnerability allows for arbitrary outbound HTTP requests to be made to internal or localhost resources, with the response being returned to the user. This exploitation can be performed remotely, and the vulnerability has been publicly disclosed.
nextlevelbuilder GoClaw Server-Side Request Forgery Vulnerability
A server-side request forgery (SSRF) vulnerability has been identified in nextlevelbuilder GoClaw versions through 3.15.0-beta.32. The issue arises in the web_fetch component, specifically within the CheckSSRF/isPrivateIP function of the file internal/tools/web_shared.go. This vulnerability allows authenticated users with at least operator privileges to bypass SSRF protections and make requests to internal or special-use IP ranges that should be blocked. The flaw has been publicly disclosed and exploited, but it has been patched in version 3.15.0-beta.33.
nextlevelbuilder GoClaw Missing Authorization Vulnerability in Tools Invoke Endpoint Allows Unauthorized Cron Job Binding
A vulnerability exists in nextlevelbuilder GoClaw versions through 3.13.2, specifically within the ToolsInvokeHandler.ServeHTTP function of the internal/http/tools_invoke.go file. This vulnerability arises from a missing authorization check in the Invoke Endpoint, allowing an authenticated user with operator.write privileges to bind a cron job to another user's private agent. While direct access to the foreign agent is correctly blocked, the cron binding is accepted without proper authorization, creating a stored cross-agent authorization bypass that the scheduler later trusts as the execution target.
Nextlevelbuilder GoClaw Authorization Bypass Vulnerability in Exec Approval
An authorization bypass vulnerability has been identified in Nextlevelbuilder GoClaw versions up to 3.13.2. The issue arises in the exec approval process, where the system incorrectly treats different executables as the same trusted binary if they share a basename. This flaw allows an authenticated operator-level user to execute commands on the host without proper authorization, bypassing the intended approval process.
Nextlevelbuilder GoClaw Improper Authorization Vulnerability in Exec Approval Tool
A vulnerability exists in Nextlevelbuilder GoClaw versions up to 3.13.2, specifically within the exec approval tool. The issue arises from the 'isSafeBin' function in 'internal/tools/exec_approval.go', which improperly classifies certain commands as safe based solely on their binary name. This flaw allows authenticated users with operator privileges to execute commands that read from or write to the filesystem without the required human approval. The vulnerability can be exploited remotely, and public exploit scripts are available.
Urwid Web Display Backend Session ID Vulnerability Allowing Keystroke Injection and Code Execution
A vulnerability exists in the Urwid web display backend, specifically in the session ID generation process. The backend uses Python's Mersenne Twister pseudo-random number generator (PRNG) to create web session identifiers. This PRNG is not cryptographically secure, allowing an attacker to predict session IDs. The vulnerability arises because each session ID is generated by concatenating two random numbers from the PRNG, which can be observed through the X-Urwid-ID HTTP response header. An attacker who collects approximately 334 session IDs can reconstruct the internal state of the PRNG and predict all past and future session IDs. Additionally, the session ID is used as the filename for a FIFO (named pipe) created in the world-readable /tmp directory. This exposure allows any local user to enumerate active session tokens directly. With a valid session ID, an attacker can read the victim's terminal screen, inject keystrokes (potentially leading to OS-level code execution if the session runs a shell), and disrupt the session by flooding the FIFO or injecting exit sequences.
Nextlevelbuilder GoClaw Incorrectly-Resolved Name Vulnerability in Exec Approval Allowlist
A vulnerability exists in Nextlevelbuilder GoClaw versions up to 3.13.3-beta.3, specifically within the exec approval management. The issue arises because the 'matchesAllowlist' function trusts basename-only entries, allowing operators to manipulate and execute commands that bypass the intended approval process. This vulnerability can be exploited remotely by authenticated operators via the 'POST /v1/tools/invoke' HTTP endpoint.
GoClaw WebSocket Approval Endpoint Incorrect Authorization Vulnerability
A vulnerability exists in GoClaw versions up to 3.13.2, specifically within the WebSocket approval endpoint. The issue arises in the 'RequestApproval' function of 'internal/tools/exec_approval.go', where the approval cache incorrectly handles 'allow-always' decisions. This flaw allows an operator to approve one BusyBox-wrapped command, which can then be exploited to execute different commands without additional approval, bypassing GoClaw's intended authorization process for executing host commands.
@fastify/http-proxy Prefix Escape Vulnerability via URL-Encoding
A vulnerability exists in @fastify/http-proxy versions through 11.5.0, where the request prefix is not properly rewritten if the prefix segment contains URL-encoded characters. Fastify's routing system decodes URLs for matching purposes, but the original encoded request.url is forwarded to the upstream server without modification. This allows an attacker to access upstream paths that should be hidden by the prefix rewrite, potentially exposing internal or administrative endpoints. The issue arises because the prefix rewrite process uses a literal string replacement, which fails to account for URL encoding.
OpenPLC Runtime v3 Heap-Based Buffer Overflow Vulnerability in Modbus Master Component
A heap-based buffer overflow vulnerability has been identified in OpenPLC Runtime v3, specifically in the Modbus Master component. The issue arises in the getData() function within webserver/core/modbus_master.cpp, where the function reads data into a user-supplied buffer without proper size validation or bounds checking. This vulnerability affects all versions of OpenPLC Runtime v3 up to the latest master commit (b470206). An authenticated attacker with access to the OpenPLC web interface can exploit this vulnerability by sending a crafted HTTP POST request to the /modbus endpoint, using an oversized device_name value. The overflow occurs as the value is saved to mbconfig.cfg and parsed upon loading, overwriting adjacent struct fields and causing heap corruption. This heap corruption leads to a runtime crash, disrupting the PLC process control loop and causing a denial-of-service condition.
SurrealDB HTTP Redirect Vulnerability Allowing Server-Side Request Forgery
A server-side request forgery (SSRF) vulnerability has been identified in SurrealDB versions prior to 2.2.2. The issue arises because the database fails to properly validate HTTP redirects in its HTTP functions. This flaw enables authenticated users to circumvent deny-net restrictions by redirecting to blocked IP addresses. Attackers can exploit this by hosting a public server that redirects to denied network targets, thereby accessing internal endpoints and potentially retrieving sensitive information.
SurrealDB Denial-of-Service Vulnerability via CPU Exhaustion from Nested FOR Loops
A denial-of-service vulnerability has been identified in SurrealDB versions prior to 2.0.5, 2.1.x prior to 2.1.5, and 2.2.x prior to 2.2.2. This vulnerability allows authenticated users with OWNER or EDITOR permissions at the root, namespace, or database level to create custom database functions using the DEFINE FUNCTION statement. The issue arises from the ability to nest FOR loops, each capable of iterating up to 1,000,000 times. While a single loop's iterations are limited, nesting multiple loops can lead to functions that consume excessive CPU resources. This unchecked execution monopolizes server processing, causing the database to become unresponsive to other queries and connections until it is manually restarted.
SurrealDB Denial-of-Service Vulnerability via Unrestricted JavaScript Execution Time
A denial-of-service vulnerability has been identified in SurrealDB versions prior to 2.0.5, 2.1.x prior to 2.1.5, and 2.2.x prior to 2.2.2. The issue arises because these versions do not impose a default execution-time limit on embedded JavaScript functions when scripting is enabled. This lack of restriction allows authenticated attackers to submit long-running scripts that can exhaust server resources, leading to a denial-of-service condition. Scripting is disabled by default, but can be enabled with specific command-line flags or environment variables.
SurrealDB Memory Exhaustion Vulnerability in String Replace Function Prior to 2.2.2
A memory exhaustion vulnerability has been identified in SurrealDB versions prior to 2.2.2. This issue arises in the string::replace function, which fails to limit the length of resulting strings when regex patterns are used. An authenticated attacker can exploit this by crafting a malicious query that leads to unbounded string allocations, exhausting server memory and causing a denial-of-service condition.
SurrealDB Local File Read Vulnerability in DEFINE ANALYZER Statement
A local file read vulnerability has been identified in SurrealDB versions prior to 2.2.2. This issue allows authenticated users with root, namespace, or database level privileges to use the DEFINE ANALYZER statement to access arbitrary files on the file system. The vulnerability specifically targets two-column tab-separated values (TSV) files, which can be read and exfiltrated by the attacker.
SurrealDB Recursion Limit Bypass Vulnerability Leading to Memory Exhaustion
A vulnerability exists in SurrealDB versions prior to 2.2.2, 2.1.5, and 2.0.5, when scripting is enabled. The issue arises because the database fails to properly enforce recursion limits. Authenticated attackers can exploit this by chaining native functions with embedded JavaScript that issues new queries, creating infinite recursion that exhausts server memory. This vulnerability only affects SurrealDB instances with scripting capabilities enabled, either through command-line flags or environment variables.
SurrealDB Command-Line Export SurrealQL Injection Vulnerability Allowing Privilege Escalation
A SurrealQL injection vulnerability has been identified in SurrealDB versions prior to 2.0.5, 2.1.5, and 2.2.2. The issue arises because the command-line export feature does not properly sanitize table and field names. An authenticated System User with OWNER or EDITOR roles can create tables or fields with malicious names that include SurrealQL. When a higher-privileged user imports the exported backup, the injected SurrealQL is executed, leading to privilege escalation and a complete takeover of the SurrealDB instance. Additionally, applications that allow users to define custom tables or fields are vulnerable to a second-order SurrealQL injection, even if query parameters are sanitized.
SurrealDB Uncaught Exception Vulnerability Leading to Denial-of-Service
A denial-of-service vulnerability has been identified in SurrealDB versions prior to 2.2.2. This issue arises from an uncaught exception in the net module, allowing authenticated users to crash the database. Attackers can exploit this vulnerability by sending crafted HTTP queries with null bytes to the /sql endpoint. The unhandled exception causes the SurrealDB instance to crash, along with any dependent applications.
SurrealDB DNS-Resolved Hostname Denial-of-Service Vulnerability Bypass
A vulnerability exists in SurrealDB versions prior to 2.2.6, 2.3.6, 2.1.8, and 3.0.0-alpha.7 that allows authenticated users to bypass network access restrictions. The issue arises because the application fails to validate DNS-resolved hostnames against deny-net restrictions in its HTTP functions. This flaw enables access to restricted internal endpoints, potentially allowing the retrieval or alteration of sensitive information and credentials, depending on the deployment scenario.
SurrealDB Uncontrolled Recursion Denial-of-Service Vulnerability
A denial-of-service vulnerability has been identified in SurrealDB versions prior to 1.1.0. The issue arises because the SurrealQL parser does not properly enforce recursion depth limits when processing nested statements and idioms, such as 'IF', 'RELATE', and attribute access. This flaw allows authorized attackers to submit queries with excessive nesting, leading to a stack overflow that crashes the server.
SurrealDB Denial-of-Service Vulnerability via Global Parameters and Functions
A denial-of-service vulnerability has been identified in SurrealDB versions prior to 1.1.1. The issue arises because the database fails to properly validate the invocation of custom parameters and functions at the root or namespace levels. Authorized clients can exploit this flaw by invoking these entities at unsupported levels, leading to a server panic and causing the SurrealDB server to crash.
SurrealDB Denial-of-Service Vulnerability via HTTP Header Parsing
A denial-of-service vulnerability has been identified in SurrealDB versions prior to 1.1.0. The issue arises in the HTTP REST API when the ID, DB, and NS headers contain special characters. Unauthenticated attackers can exploit this vulnerability by sending crafted HTTP requests with malformed header values, leading to an uncaught exception that crashes the server.
SurrealDB Improper Authorization Vulnerability in Field Permissions
A vulnerability exists in SurrealDB versions prior to 2.0.4, where the database fails to properly enforce field permissions during SELECT, UPDATE, and DELETE operations. This oversight allows authorized users to access unauthorized field values through various query techniques. Exploitation can occur via SELECT VALUE operations, field aliasing, function arguments, WHERE clause filtering, RETURN BEFORE clauses, and SET clause references, enabling the leakage of protected field contents despite the absence of SELECT permissions.
SurrealDB Format String Vulnerability in Scripting Functions
A format string vulnerability has been identified in SurrealDB versions prior to 1.1.1. This issue resides in the rquickjs Exception::throw_type function, which is used to execute scripting functions within SurrealDB. When scripting is enabled, attackers with scripting privileges can inject format string sequences into error inputs, potentially leading to arbitrary memory read or execution of code with SurrealDB process privileges.
SurrealDB Denial-of-Service Vulnerability via Nonexistent Built-in Functions
A denial-of-service vulnerability has been identified in SurrealDB versions prior to 1.2.0. This issue arises from an uncaught exception in the query executor, which occurs when the server processes calls to nonexistent built-in functions. Authorized clients can exploit this vulnerability by crafting pre-parsed queries that invoke these nonexistent functions, leading to a server panic and subsequent crash.
SurrealDB Uncaught Exception Handling Denial-of-Service Vulnerability
A denial-of-service vulnerability has been identified in SurrealDB versions prior to 1.2.1. This issue arises from uncaught exception handling in the span rendering process when queries contain errors related to line terminator characters. Authorized clients can exploit this vulnerability by submitting malformed queries that cause a panic in the span rendering code, leading to a server crash.
SurrealDB Improper Authentication Vulnerability Allowing User Impersonation via Database Switch
A vulnerability exists in SurrealDB versions prior to 1.5.4 and 2.0.0-alpha.6, where the database authentication process is not properly validated when a scope user switches databases using the 'USE' clause or method. This flaw allows attackers with an authenticated session to impersonate an unrelated user in a different database, provided a user record with the same identifier exists. Such impersonation could enable unauthorized actions if the user's permissions are solely based on the $auth parameter.
SurrealDB Untrusted Query Object Evaluation Vulnerability in RPC API Sign-In and Sign-Up Operations
A vulnerability exists in SurrealDB versions prior to 1.5.5 and 2.0.0-beta prior to 2.0.0-beta.3, where the RPC API's sign-in and sign-up operations accept arbitrary objects without proper validation for non-computed values. This flaw allows an unauthenticated attacker to encode a binary object containing a subquery using the bincode serialization format and replace the credentials with it. The injected subquery is executed within the context of the database owner's sign-in or sign-up query, under a system user session with editor privileges. As a result, the attacker can manipulate non-IAM resources by selecting, creating, updating, or deleting them, although they cannot directly view the query results or affect IAM resources, which require owner privileges.
SurrealDB Uncaught Exception Handling Denial-of-Service Vulnerability
A denial-of-service vulnerability has been identified in SurrealDB versions prior to 2.0.4. The issue arises from uncaught exceptions in the parser's error handling when processing empty strings. Authorized clients can exploit this by sending malformed queries that convert empty strings into record, duration, or datetime types. This conversion failure triggers a panic in the error rendering process, causing the server to crash.
SurrealDB Denial-of-Service Vulnerability via Random Sorting in ORDER BY Clause
A denial-of-service vulnerability has been identified in SurrealDB versions prior to 2.1.0. The issue arises in the sorting mechanism when the ORDER BY rand() clause is used. Authorized clients can execute queries with this clause, triggering a panic in the sorting function that crashes the server.
