PT-2026-60952 · Surrealdb · Surrealdb

·

CVE-2025-71391

·

Published

2026-07-18

·

Updated

2026-07-18

CVSS v4.0

7.1

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions SurrealDB versions prior to 2.2.2
Description An uncaught exception exists in the net module that allows authenticated users to crash the database. Attackers can send crafted HTTP queries containing null bytes to the '/sql' endpoint, causing an unhandled exception that crashes the SurrealDB instance and any dependent applications.
Recommendations Update SurrealDB to version 2.2.2 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-71391

Affected Products

Surrealdb