PT-2026-60957 · Surrealdb · Surrealdb

·

CVE-2025-71396

·

Published

2026-07-18

·

Updated

2026-07-18

CVSS v4.0

2.3

Low

VectorAV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions SurrealDB versions prior to 2.0.5 SurrealDB versions 2.1.x prior to 2.1.5 SurrealDB versions 2.2.x prior to 2.2.2
Description When the scripting capability is explicitly enabled via --allow-scripting or --allow-all, the system fails to enforce a default execution-time limit on embedded JavaScript scripting functions. An authenticated attacker can exploit this by submitting long-running JavaScript functions to exhaust server resources, resulting in a denial of service. Scripting is disabled by default.
Recommendations Update SurrealDB to version 2.0.5 or later. Update SurrealDB 2.1.x to version 2.1.5 or later. Update SurrealDB 2.2.x to version 2.2.2 or later. As a temporary mitigation, ensure that scripting is disabled by not using the --allow-scripting or --allow-all flags.

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-71396

Affected Products

Surrealdb