PT-2026-60954 · Surrealdb · Surrealdb

·

CVE-2025-71393

·

Published

2026-07-18

·

Updated

2026-07-18

CVSS v4.0

6.0

Medium

VectorAV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions SurrealDB versions prior to 2.2.2
Description When scripting is enabled, the system fails to properly enforce recursion limits in cases where native functions contain embedded JavaScript that issues new queries. Authenticated attackers can bypass these limits by chaining native and JavaScript function calls, leading to infinite recursion and the exhaustion of server memory.
Recommendations Update to version 2.2.2 or later. Disable scripting functionality as a temporary mitigation measure.

Fix

Uncontrolled Recursion

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-71393

Affected Products

Surrealdb