SurrealDB
- < 1.1.0
A denial-of-service vulnerability has been identified in SurrealDB versions prior to 1.1.0. The issue arises because the SurrealQL parser does not properly enforce recursion depth limits when processing nested statements and idioms, such as 'IF', 'RELATE', and attribute access. This flaw allows authorized attackers to submit queries with excessive nesting, leading to a stack overflow that crashes the server.
Exploitation of this vulnerability causes a stack overflow, leading to a crash of the SurrealDB server and a denial-of-service condition.
Users can update to SurrealDB version 1.1.0 or later to address this vulnerability. Those unable to update should consider restricting untrusted users from executing arbitrary SurrealQL queries and ensure that the SurrealDB process can automatically restart after a crash.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.