PT-2026-60953 · Surrealdb · Surrealdb

·

CVE-2025-71392

·

Published

2026-07-18

·

Updated

2026-07-18

CVSS v4.0

9.4

Critical

VectorAV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions SurrealDB versions prior to 2.0.5 SurrealDB versions 2.1.x prior to 2.1.5 SurrealDB versions 2.2.x prior to 2.2.2
Description SurrealDB fails to properly escape table and field names during the command-line export process. An authenticated System User with OWNER or EDITOR roles can create tables or fields with names containing malicious SurrealQL. When a higher-privileged user imports the resulting backup, the injected SurrealQL executes, leading to privilege escalation and root-level takeover of the instance. This issue also exposes applications that allow users to define custom tables or fields to a universal second-order SurrealQL injection, even if query parameters are sanitized.
Recommendations Update SurrealDB to version 2.0.5. Update SurrealDB to version 2.1.5. Update SurrealDB to version 2.2.2.

Fix

LPE

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-71392

Affected Products

Surrealdb