PT-2026-60958 · Surrealdb · Surrealdb

·

CVE-2025-71397

·

Published

2026-07-18

·

Updated

2026-07-18

CVSS v4.0

7.1

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions SurrealDB versions prior to 2.0.5 SurrealDB versions 2.1.x prior to 2.1.5 SurrealDB versions 2.2.x prior to 2.2.2
Description Authenticated users with OWNER or EDITOR permissions at the root, namespace, or database level can cause a denial of service. By using the DEFINE FUNCTION statement to create custom database functions containing nested FOR loops, an attacker can bypass iteration constraints. While a single loop is limited, nesting multiple loops allows for an execution that consumes all server CPU resources. This condition persists regardless of configured timeouts, making the server unresponsive to other queries and connections until a manual restart is performed.
Recommendations Update SurrealDB to version 2.0.5 or later. Update SurrealDB 2.1.x to version 2.1.5 or later. Update SurrealDB 2.2.x to version 2.2.2 or later.

Fix

DoS

Infinite Loop

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-71397

Affected Products

Surrealdb