Information Exposure Affecting surrealdb package, versions <3.1.5


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Information Exposure vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUST-SURREALDB-17661102
  • published28 Jun 2026
  • disclosed19 Jun 2026
  • creditUnknown

Introduced: 19 Jun 2026

New CVE NOT AVAILABLE CWE-209  (opens in a new tab)
CWE-22  (opens in a new tab)

How to fix?

Upgrade surrealdb to version 3.1.5 or higher.

Overview

Affected versions of this package are vulnerable to Information Exposure via the mapper filter in the DEFINE ANALYZER statement. An attacker can access arbitrary files on the filesystem and disclose their contents by specifying a file path that the process can read, resulting in sensitive information being returned in error messages. This is only exploitable if the SURREAL_FILE_ALLOWLIST setting is empty or misconfigured, which is the default state in affected versions.

Workaround

This vulnerability can be mitigated by setting the SURREAL_FILE_ALLOWLIST environment variable to a directory containing only intended mapping files, restricting the mapper filter to that path. Additionally, limit the assignment of EDITOR and OWNER roles to trusted users and avoid supplying secrets via command line or environment variables.

CVSS Base Scores

version 4.0
version 3.1