SurrealDB Uncontrolled Recursion Denial-of-Service Vulnerability

Vulnerability

A denial-of-service vulnerability has been identified in SurrealDB versions prior to 1.1.0. The issue arises because the SurrealQL parser does not properly enforce recursion depth limits when processing nested statements and idioms, such as 'IF', 'RELATE', and attribute access. This flaw allows authorized attackers to submit queries with excessive nesting, leading to a stack overflow that crashes the server.

Impact

Exploitation of this vulnerability causes a stack overflow, leading to a crash of the SurrealDB server and a denial-of-service condition.

Remediation

Users can update to SurrealDB version 1.1.0 or later to address this vulnerability. Those unable to update should consider restricting untrusted users from executing arbitrary SurrealQL queries and ensure that the SurrealDB process can automatically restart after a crash.

Added: Jul 18, 2026, 2:29 PM
Updated: Jul 18, 2026, 2:29 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.5
exploitability
5.2
remediation
0.0
relevance
10.0
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.