SurrealDB
- < 2.2.2
- < 2.0.5
- < 2.1.5
A denial-of-service vulnerability has been identified in SurrealDB versions prior to 2.0.5, 2.1.x prior to 2.1.5, and 2.2.x prior to 2.2.2. The issue arises because these versions do not impose a default execution-time limit on embedded JavaScript functions when scripting is enabled. This lack of restriction allows authenticated attackers to submit long-running scripts that can exhaust server resources, leading to a denial-of-service condition. Scripting is disabled by default, but can be enabled with specific command-line flags or environment variables.
Exploitation of this vulnerability allows authenticated attackers to execute long-running JavaScript functions, causing server resource exhaustion and denial-of-service conditions.
Users can upgrade to SurrealDB versions 2.2.2, 2.1.5, or 2.0.5. For those unable to upgrade, SurrealDB can be configured to deny scripting execution by using the `--deny-scripting` flag or the equivalent environment variable `SURREAL_CAPS_DENY_SCRIPT=true`.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.