Through enabling the scripting capability. SurrealDB allows for advanced functions with complicated logic, by allowing embedded functions to be written in JavaScript.

These functions are bounded for memory and stack size, but not in time. An attacker could launch a number of long running functions that could potentially facilitate a Denial Of Service attack.

This vulnerability can only affect SurrealDB servers explicitly enabling the scripting capability with --allow-scripting or --allow-all and equivalent environment variables SURREAL CAPS ALLOW SCRIPT=true and SURREAL CAPS ALLOW ALL=true.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53's preliminary finding is Low, matched by our CVSS v4 assessment.

An attacker can use the scripting capabilities of SurrealDB to run a series of long running functions to facilitate a Denial Of Service attack.

A default timeout for the scripting functions has been implemented with a configurable SURREAL SCRIPTING MAX TIME LIMIT environment variable

For users that cannot upgrade. Deny execution of embedded scripting functions through the configuration of capabilities by starting SurrealDB with the --deny-scripting flag or the equivalent environment variable SURREAL CAPS DENY SCRIPT=true. This has a usability implication, although scripting functions are disabled by default.

5597 SurrealDB Documentation - Capabilities SurrealQL Documentation - Scripting Functions