PT-2026-60954 · Surrealdb · Surrealdb
CVSS v4.0
6.0
Medium
| Vector | AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
SurrealDB versions prior to 2.2.2
Description
When scripting is enabled, the system fails to properly enforce recursion limits in cases where native functions contain embedded JavaScript that issues new queries. Authenticated attackers can bypass these limits by chaining native and JavaScript function calls, leading to infinite recursion and the exhaustion of server memory.
Recommendations
Update to version 2.2.2 or later.
Disable scripting functionality as a temporary mitigation measure.
Fix
Uncontrolled Recursion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Surrealdb