SurrealDB Uncaught Exception Handling Denial-of-Service Vulnerability

Vulnerability

A denial-of-service vulnerability has been identified in SurrealDB versions prior to 2.0.4. The issue arises from uncaught exceptions in the parser's error handling when processing empty strings. Authorized clients can exploit this by sending malformed queries that convert empty strings into record, duration, or datetime types. This conversion failure triggers a panic in the error rendering process, causing the server to crash.

Impact

Exploitation of this vulnerability leads to a server crash, causing a denial-of-service condition.

Remediation

Users can update to SurrealDB version 2.0.4 or later to address this vulnerability. Those unable to update should consider restricting untrusted clients from executing arbitrary SurrealQL queries and ensure the SurrealDB process can automatically restart after a crash.

Added: Jul 18, 2026, 2:33 PM
Updated: Jul 18, 2026, 2:33 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.5
exploitability
5.2
remediation
0.0
relevance
10.0
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.