GHSA-CC8F-FCX3-GPJR
Vulnerability from github – Published: 2026-06-19 22:10 – Updated: 2026-06-19 22:10SurrealDB's full-text search lets you define a text analyzer whose mapper filter loads a term-mapping file from disk (DEFINE ANALYZER ... FILTERS mapper('<path>')). A database user with the EDITOR or OWNER role could point that filter at any file the SurrealDB process can read and have its content returned in the query's error message.
File access is meant to be restricted by the SURREAL_FILE_ALLOWLIST setting, but an empty allowlist applied no restriction at all — and empty is the default.
Impact
The file is read with the privileges of the SurrealDB process, so a database EDITOR or OWNER user can disclose the contents of any file the process can access. Only the first line of the file is returned, except for files with no newlines.
However recovering the process's command line and environment could expose startup root credentials (--user / --pass) and secret environment variables, escalating a single-database role toward full control of the instance.
The read on the underlying filesystem is bounded by what the SurrealDB process can reach — any file readable by the OS user it runs as — so the impact scales with how the process is run and what is mounted into it.
Patches
A patch has been included in SurrealDB 3.1.5.
File access is now secure by default. check_is_path_allowed denies every path when no SURREAL_FILE_ALLOWLIST is configured, so the mapper filter cannot open any file unless the operator has explicitly allowed its directory. Analyzer parse errors no longer include the contents of the mapped file, only the line number.
Workarounds
Users unable to upgrade are advised to consider the following:
- Set
SURREAL_FILE_ALLOWLISTto a directory that contains only the intended mapping files; this confines themapperfilter to that path. On affected versions the allowlist must be non-empty to have any effect. - Grant the
EDITORandOWNERdatabase roles only to trusted principals. - Avoid supplying secrets — including the root credentials — on the command line or through environment variables; prefer mounted files with least-privilege permissions.
References
- SurrealQL Documentation — DEFINE ANALYZER
- SurrealDB Documentation — Capabilities
- Related earlier advisory: GHSA-2cvj-g5r5-jrrg local file read of 2-column TSV files via analyzers
- https://github.com/surrealdb/surrealdb/pull/5600
- fix(iam): deny filesystem access by default and stop leaking file content in analyzer errors
Acknowledgements
Thanks to Jan Kahmen (@kah-ja) for finding and reporting this issue.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-209",
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T22:10:48Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "SurrealDB\u0027s full-text search lets you define a text analyzer whose `mapper` filter loads a term-mapping file from disk (`DEFINE ANALYZER ... FILTERS mapper(\u0027\u003cpath\u003e\u0027)`). A database user with the `EDITOR` or `OWNER` role could point that filter at any file the SurrealDB process can read and have its content returned in the query\u0027s error message.\n\nFile access is meant to be restricted by the `SURREAL_FILE_ALLOWLIST` setting, but an empty allowlist applied no restriction at all \u2014 and empty is the default. \n\n## Impact\n\nThe file is read with the privileges of the SurrealDB process, so a database `EDITOR` or `OWNER` user can disclose the contents of any file the process can access. Only the **first line** of the file is returned, except for files with no newlines.\n\nHowever recovering the process\u0027s command line and environment could expose startup root credentials (`--user` / `--pass`) and secret environment variables, escalating a single-database role toward full control of the instance.\n\nThe read on the underlying filesystem is bounded by what the SurrealDB process can reach \u2014 any file readable by the OS user it runs as \u2014 so the impact scales with how the process is run and what is mounted into it.\n\n## Patches\n\nA patch has been included in SurrealDB 3.1.5.\n\nFile access is now secure by default. `check_is_path_allowed` denies every path when no `SURREAL_FILE_ALLOWLIST` is configured, so the `mapper` filter cannot open any file unless the operator has explicitly allowed its directory. Analyzer parse errors no longer include the contents of the mapped file, only the line number.\n\n## Workarounds\n\nUsers unable to upgrade are advised to consider the following:\n\n- Set `SURREAL_FILE_ALLOWLIST` to a directory that contains only the intended mapping files; this confines the `mapper` filter to that path. On affected versions the allowlist must be non-empty to have any effect.\n- Grant the `EDITOR` and `OWNER` database roles only to trusted principals.\n- Avoid supplying secrets \u2014 including the root credentials \u2014 on the command line or through environment variables; prefer mounted files with least-privilege permissions.\n\n## References\n\n- [SurrealQL Documentation \u2014 DEFINE ANALYZER](https://surrealdb.com/docs/surrealql/statements/define/analyzer#define-analyzer-statement)\n- [SurrealDB Documentation \u2014 Capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities)\n- Related earlier advisory: [GHSA-2cvj-g5r5-jrrg](https://github.com/surrealdb/surrealdb/security/advisories/GHSA-2cvj-g5r5-jrrg) local file read of 2-column TSV files via analyzers\n- https://github.com/surrealdb/surrealdb/pull/5600\n- fix(iam): deny filesystem access by default and stop leaking file content in analyzer errors\n\n## Acknowledgements\n\nThanks to Jan Kahmen ([@kah-ja](https://github.com/kah-ja)) for finding and reporting this issue.",
"id": "GHSA-cc8f-fcx3-gpjr",
"modified": "2026-06-19T22:10:48Z",
"published": "2026-06-19T22:10:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-cc8f-fcx3-gpjr"
},
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/pull/5600"
},
{
"type": "PACKAGE",
"url": "https://github.com/surrealdb/surrealdb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "SurrealDB: Arbitrary file read via DEFINE ANALYZER mapper() filter"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.