SurrealDB Denial-of-Service Vulnerability via CPU Exhaustion from Nested FOR Loops

Vulnerability

A denial-of-service vulnerability has been identified in SurrealDB versions prior to 2.0.5, 2.1.x prior to 2.1.5, and 2.2.x prior to 2.2.2. This vulnerability allows authenticated users with OWNER or EDITOR permissions at the root, namespace, or database level to create custom database functions using the DEFINE FUNCTION statement. The issue arises from the ability to nest FOR loops, each capable of iterating up to 1,000,000 times. While a single loop's iterations are limited, nesting multiple loops can lead to functions that consume excessive CPU resources. This unchecked execution monopolizes server processing, causing the database to become unresponsive to other queries and connections until it is manually restarted.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the SurrealDB server to become unresponsive and requiring a manual restart to restore functionality.

Remediation

Users can upgrade to SurrealDB versions 2.0.5, 2.1.5, or 2.2.2. For those unable to upgrade, consider using the --allow-functions and/or --deny-functions options, or the corresponding SURREAL_CAPS_ALLOW_FUNC and SURREAL_CAPS_DENY_FUNC environment variables, to manage the execution of custom functions.

Added: Jul 18, 2026, 2:25 PM
Updated: Jul 18, 2026, 2:25 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.5
exploitability
4.8
remediation
0.0
relevance
9.9
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.