SurrealDB
- < 2.2.2
- < 2.1.5
- < 2.0.5
A denial-of-service vulnerability has been identified in SurrealDB versions prior to 2.2.2. This issue arises from an uncaught exception in the net module, allowing authenticated users to crash the database. Attackers can exploit this vulnerability by sending crafted HTTP queries with null bytes to the /sql endpoint. The unhandled exception causes the SurrealDB instance to crash, along with any dependent applications.
Exploitation of this vulnerability allows authenticated users to crash the SurrealDB database instance, disrupting any applications that rely on it.
Users can update to SurrealDB versions 2.2.2, 2.1.5, or 2.0.5 to address this vulnerability. For those unable to update, it is recommended to limit untrusted clients' ability to execute arbitrary queries and to ensure the SurrealDB process can be automatically restarted after a crash. Additionally, applications using SurrealDB should sanitize inputs to prevent injection attacks.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.