Information Exposure Affecting surrealdb package, versions >=3.0.0 <3.1.5


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-SURREALDB-17661105
  • published28 Jun 2026
  • disclosed19 Jun 2026
  • creditUnknown

Introduced: 19 Jun 2026

New CVE NOT AVAILABLE CWE-200  (opens in a new tab)

How to fix?

Upgrade surrealdb to version 3.1.5 or higher.

Overview

Affected versions of this package are vulnerable to Information Exposure in the ORDER BY process. An attacker can infer the relative ordering of restricted field values by issuing queries that sort on those fields, even when direct access is denied. This can be achieved by leveraging indexed fields with field-level SELECT permissions, allowing the attacker to deduce information about hidden data through the returned row order.

Workaround

This vulnerability can be mitigated by forcing the legacy executor with the environment variable SURREAL_PLANNER_STRATEGY=compute-only, avoiding indexes on fields hidden by field-level SELECT permissions, restricting access at the table level instead of the field level, or using namespace/database isolation as the primary trust boundary.

References

CVSS Base Scores

version 4.0
version 3.1