PT-2026-60957 · Surrealdb · Surrealdb
CVSS v4.0
2.3
Low
| Vector | AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
SurrealDB versions prior to 2.0.5
SurrealDB versions 2.1.x prior to 2.1.5
SurrealDB versions 2.2.x prior to 2.2.2
Description
When the scripting capability is explicitly enabled via
--allow-scripting or --allow-all, the system fails to enforce a default execution-time limit on embedded JavaScript scripting functions. An authenticated attacker can exploit this by submitting long-running JavaScript functions to exhaust server resources, resulting in a denial of service. Scripting is disabled by default.Recommendations
Update SurrealDB to version 2.0.5 or later.
Update SurrealDB 2.1.x to version 2.1.5 or later.
Update SurrealDB 2.2.x to version 2.2.2 or later.
As a temporary mitigation, ensure that scripting is disabled by not using the
--allow-scripting or --allow-all flags.Fix
DoS
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Surrealdb