SurrealDB Recursion Limit Bypass Vulnerability Leading to Memory Exhaustion

Vulnerability

A vulnerability exists in SurrealDB versions prior to 2.2.2, 2.1.5, and 2.0.5, when scripting is enabled. The issue arises because the database fails to properly enforce recursion limits. Authenticated attackers can exploit this by chaining native functions with embedded JavaScript that issues new queries, creating infinite recursion that exhausts server memory. This vulnerability only affects SurrealDB instances with scripting capabilities enabled, either through command-line flags or environment variables.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, causing the server to run out of memory and potentially crash.

Remediation

Users can upgrade to SurrealDB versions 2.2.2, 2.1.5, or 2.0.5 to address this vulnerability. Alternatively, SurrealDB can be configured to deny the execution of embedded scripting functions by using the `--deny-scripting` flag or the environment variable `SURREAL_CAPS_DENY_SCRIPT=true`.

Added: Jul 18, 2026, 2:27 PM
Updated: Jul 18, 2026, 2:27 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.5
exploitability
5.2
remediation
0.0
relevance
10.0
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.