GHSA-3824-QMFQ-2QV7
Vulnerability from github – Published: 2025-04-11 14:08 – Updated: 2025-04-11 14:08Through enabling the scripting capability. SurrealDB allows for advanced functions with complicated logic, by allowing embedded functions to be written in JavaScript.
These functions are bounded for memory and stack size, but not in time. An attacker could launch a number of long running functions that could potentially facilitate a Denial Of Service attack.
This vulnerability can only affect SurrealDB servers explicitly enabling the scripting capability with --allow-scripting or
--allow-all and equivalent environment variables SURREAL_CAPS_ALLOW_SCRIPT=true and SURREAL_CAPS_ALLOW_ALL=true.
This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53's preliminary finding is Low, matched by our CVSS v4 assessment.
Impact
An attacker can use the scripting capabilities of SurrealDB to run a series of long running functions to facilitate a Denial Of Service attack.
Patches
A default timeout for the scripting functions has been implemented with a configurable SURREAL_SCRIPTING_MAX_TIME_LIMIT environment variable
- Versions 2.0.5, 2.1.5, 2.2.2 and later are not affected by this issue.
Workarounds
For users that cannot upgrade. Deny execution of embedded scripting functions through the configuration of capabilities by starting SurrealDB with the --deny-scripting flag or the equivalent environment variable SURREAL_CAPS_DENY_SCRIPT=true. This has a usability implication, although scripting functions are disabled by default.
References
5597 SurrealDB Documentation - Capabilities SurrealQL Documentation - Scripting Functions
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-11T14:08:45Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "Through enabling the scripting capability. SurrealDB allows for advanced functions with complicated logic, by allowing embedded functions to be written in JavaScript.\n\nThese functions are bounded for memory and stack size, but not in time. An attacker could launch a number of long running functions that could potentially facilitate a Denial Of Service attack.\n\nThis vulnerability can only affect SurrealDB servers explicitly enabling the scripting capability with `--allow-scripting` or\n`--allow-all` and equivalent environment variables `SURREAL_CAPS_ALLOW_SCRIPT=true` and `SURREAL_CAPS_ALLOW_ALL=true`.\n\nThis issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53\u0027s preliminary finding is Low, matched by our CVSS v4 assessment.\n\n### Impact\nAn attacker can use the scripting capabilities of SurrealDB to run a series of long running functions to facilitate a Denial Of Service attack.\n\n### Patches\nA default timeout for the scripting functions has been implemented with a configurable `SURREAL_SCRIPTING_MAX_TIME_LIMIT` environment variable\n\n- Versions 2.0.5, 2.1.5, 2.2.2 and later are not affected by this issue.\n\n### Workarounds\nFor users that cannot upgrade. Deny execution of embedded scripting functions through the configuration of [capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities#capabilities) by starting SurrealDB with the `--deny-scripting` flag or the equivalent environment variable `SURREAL_CAPS_DENY_SCRIPT=true`. This has a usability implication, although scripting functions are disabled by default.\n\n### References\n[5597](https://github.com/surrealdb/surrealdb/pull/5597)\n[SurrealDB Documentation - Capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities)\n[SurrealQL Documentation - Scripting Functions](https://surrealdb.com/docs/surrealql/functions/script)",
"id": "GHSA-3824-qmfq-2qv7",
"modified": "2025-04-11T14:08:45Z",
"published": "2025-04-11T14:08:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-3824-qmfq-2qv7"
},
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/pull/5597"
},
{
"type": "PACKAGE",
"url": "https://github.com/surrealdb/surrealdb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SurrealDB no JavaScript script function default timeout could facilitate DoS"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.