Unintended Proxy or Intermediary ('Confused Deputy') Affecting surrealdb package, versions <2.5.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-SURREALDB-15091562
- published25 Jan 2026
- disclosed22 Jan 2026
- creditCure53
Introduced: 22 Jan 2026
New CVE NOT AVAILABLE CWE-441 (opens in a new tab)How to fix?
Upgrade surrealdb to version 2.5.0 or higher.
Overview
Affected versions of this package are vulnerable to Unintended Proxy or Intermediary ('Confused Deputy') via the futures or closures fields and functions. An attacker can execute arbitrary logic with elevated privileges by creating or modifying fields that contain functions or future values, which are then executed in the context of a higher-privileged user who queries or modifies the affected record. This can result in full privilege escalation, server takeover, or, if network capabilities are enabled and unrestricted, exfiltration of database information over the network.
Workaround
This vulnerability can be mitigated by minimizing instances where low-privileged users are able to define logic subsequently executed by privileged users, such as apis, functions, futures fields, and events.