SurrealDB Uncaught Exception Vulnerability Leading to Denial-of-Service

Vulnerability

A denial-of-service vulnerability has been identified in SurrealDB versions prior to 2.2.2. This issue arises from an uncaught exception in the net module, allowing authenticated users to crash the database. Attackers can exploit this vulnerability by sending crafted HTTP queries with null bytes to the /sql endpoint. The unhandled exception causes the SurrealDB instance to crash, along with any dependent applications.

Impact

Exploitation of this vulnerability allows authenticated users to crash the SurrealDB database instance, disrupting any applications that rely on it.

Remediation

Users can update to SurrealDB versions 2.2.2, 2.1.5, or 2.0.5 to address this vulnerability. For those unable to update, it is recommended to limit untrusted clients' ability to execute arbitrary queries and to ensure the SurrealDB process can be automatically restarted after a crash. Additionally, applications using SurrealDB should sanitize inputs to prevent injection attacks.

Added: Jul 18, 2026, 2:28 PM
Updated: Jul 18, 2026, 2:28 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.5
exploitability
5.2
remediation
0.0
relevance
9.9
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.