An authenticated user can craft a query using the string::replace function that uses a Regex to perform a string replacement. As there is a failure to restrict the resulting string length, this enables an attacker to send a string::replace function to the SurrealDB server exhausting all the memory of the server due to string allocations. This eventually results in a Denial-of-Service situation for the SurrealDB server.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53. Using CVSSv4 definitions, the severity is High.

An authenticated user can crash the SurrealDB instance through memory exhaustion

A patch has been created that enforces a limit on string length SURREAL GENERATION ALLOCATION LIMIT

Affected users who are unable to update may want to limit the ability of untrusted clients to run the string::replace function in the affected versions of SurrealDB using the --deny-functions flag described within Capabilities or the equivalent SURREAL CAPS DENY FUNC environment variable.

SurrealQL Documentation - DB Functions (string::replace) SurrealDB Documentation - Capabilities SurrealDB Documentation - Environment Variables #5619 #5638