SurrealDB
- < 1.1.0
A denial-of-service vulnerability has been identified in SurrealDB versions prior to 1.1.0. The issue arises in the HTTP REST API when the ID, DB, and NS headers contain special characters. Unauthenticated attackers can exploit this vulnerability by sending crafted HTTP requests with malformed header values, leading to an uncaught exception that crashes the server.
Exploitation of this vulnerability causes the SurrealDB server to crash, disrupting service and requiring a manual restart.
Users can update to SurrealDB version 1.1.0 or later, which addresses this vulnerability. Those unable to update should consider restricting untrusted access to the SurrealDB HTTP REST API and ensuring that the SurrealDB process can be automatically restarted after a crash.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.