In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Information Exposure vulnerabilities in an interactive lesson.
Start learningUpgrade surrealdb to version 3.1.5 or higher.
Affected versions of this package are vulnerable to Information Exposure via the mapper filter in the DEFINE ANALYZER statement. An attacker can access arbitrary files on the filesystem and disclose their contents by specifying a file path that the process can read, resulting in sensitive information being returned in error messages. This is only exploitable if the SURREAL_FILE_ALLOWLIST setting is empty or misconfigured, which is the default state in affected versions.
This vulnerability can be mitigated by setting the SURREAL_FILE_ALLOWLIST environment variable to a directory containing only intended mapping files, restricting the mapper filter to that path. Additionally, limit the assignment of EDITOR and OWNER roles to trusted users and avoid supplying secrets via command line or environment variables.