SurrealDB Denial-of-Service Vulnerability via Global Parameters and Functions

Vulnerability

A denial-of-service vulnerability has been identified in SurrealDB versions prior to 1.1.1. The issue arises because the database fails to properly validate the invocation of custom parameters and functions at the root or namespace levels. Authorized clients can exploit this flaw by invoking these entities at unsupported levels, leading to a server panic and causing the SurrealDB server to crash.

Impact

Exploiting this vulnerability causes a server panic, crashing the SurrealDB server and leading to a denial-of-service condition.

Remediation

Users can update to SurrealDB version 1.1.1 or later to address this vulnerability. Those unable to update may want to limit untrusted users' ability to run arbitrary SurrealQL queries at the root or namespace level, and ensure that the SurrealDB process can be automatically restarted after a crash.

Added: Jul 18, 2026, 2:30 PM
Updated: Jul 18, 2026, 2:30 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.5
exploitability
5.2
remediation
0.0
relevance
10.0
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.