SurrealDB Denial-of-Service Vulnerability via Nonexistent Built-in Functions

Vulnerability

A denial-of-service vulnerability has been identified in SurrealDB versions prior to 1.2.0. This issue arises from an uncaught exception in the query executor, which occurs when the server processes calls to nonexistent built-in functions. Authorized clients can exploit this vulnerability by crafting pre-parsed queries that invoke these nonexistent functions, leading to a server panic and subsequent crash.

Impact

Exploitation of this vulnerability causes the SurrealDB server to crash, creating a denial-of-service condition.

Remediation

Users can update to SurrealDB version 1.2.0 or later to address this vulnerability. Those unable to update should consider restricting untrusted users from executing arbitrary SurrealQL queries on affected versions and ensure the SurrealDB process can automatically restart after a crash.

Added: Jul 18, 2026, 2:31 PM
Updated: Jul 18, 2026, 2:31 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.5
exploitability
5.2
remediation
0.0
relevance
10.0
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.