SurrealDB Denial-of-Service Vulnerability via Unrestricted JavaScript Execution Time

Vulnerability

A denial-of-service vulnerability has been identified in SurrealDB versions prior to 2.0.5, 2.1.x prior to 2.1.5, and 2.2.x prior to 2.2.2. The issue arises because these versions do not impose a default execution-time limit on embedded JavaScript functions when scripting is enabled. This lack of restriction allows authenticated attackers to submit long-running scripts that can exhaust server resources, leading to a denial-of-service condition. Scripting is disabled by default, but can be enabled with specific command-line flags or environment variables.

Impact

Exploitation of this vulnerability allows authenticated attackers to execute long-running JavaScript functions, causing server resource exhaustion and denial-of-service conditions.

Remediation

Users can upgrade to SurrealDB versions 2.2.2, 2.1.5, or 2.0.5. For those unable to upgrade, SurrealDB can be configured to deny scripting execution by using the `--deny-scripting` flag or the equivalent environment variable `SURREAL_CAPS_DENY_SCRIPT=true`.

Added: Jul 18, 2026, 2:26 PM
Updated: Jul 18, 2026, 2:26 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.5
exploitability
5.2
remediation
0.0
relevance
9.9
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.