Name of the Vulnerable Software and Affected Versions: SurrealDB versions prior to 1.5.5 SurrealDB versions prior to 2.0.0-beta.3

Description: The issue arises during sign in and sign up operations through the SurrealDB RPC API, where an arbitrary object is accepted to support various types and structures that could contain user credentials. This object could potentially contain a subquery if encoded using the bincode serialization format. An unauthenticated attacker may leverage this behavior to select, create, update, and delete non-IAM resources with permissions of a system user with the editor role. If a record access method was defined with a SIGNIN or a SIGNUP query and the SurrealDB RPC API was exposed to untrusted users, an attacker could craft a binary object containing a subquery to provide in place of valid credentials. The attacker could use that subquery to manipulate resources in SurrealDB.

Recommendations: For versions prior to 1.5.5, update to version 1.5.5 or later. For versions prior to 2.0.0-beta.3, update to version 2.0.0-beta.3 or later. As a temporary workaround, consider disallowing access to the SurrealDB RPC API using the affected binary serialization formats by only allowing requests to the "/rpc" endpoint with the "application/json" content type. Alternatively, disallowing or restricting access to the "/rpc" endpoint of the SurrealDB HTTP server will also prevent exploitation if the RPC API is not used at all or only used by trusted clients. Record access methods that define SIGNIN and SIGNUP clauses may be temporarily removed to completely prevent potential attacks leveraging this issue.