SurrealDB
- >= 2.0.0, < 2.0.4
A denial-of-service vulnerability has been identified in SurrealDB versions prior to 2.0.4. The issue arises from uncaught exceptions in the parser's error handling when processing empty strings. Authorized clients can exploit this by sending malformed queries that convert empty strings into record, duration, or datetime types. This conversion failure triggers a panic in the error rendering process, causing the server to crash.
Exploitation of this vulnerability leads to a server crash, causing a denial-of-service condition.
Users can update to SurrealDB version 2.0.4 or later to address this vulnerability. Those unable to update should consider restricting untrusted clients from executing arbitrary SurrealQL queries and ensure the SurrealDB process can automatically restart after a crash.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.