In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade surrealdb to version 3.1.5 or higher.
Affected versions of this package are vulnerable to Information Exposure in the ORDER BY process. An attacker can infer the relative ordering of restricted field values by issuing queries that sort on those fields, even when direct access is denied. This can be achieved by leveraging indexed fields with field-level SELECT permissions, allowing the attacker to deduce information about hidden data through the returned row order.
This vulnerability can be mitigated by forcing the legacy executor with the environment variable SURREAL_PLANNER_STRATEGY=compute-only, avoiding indexes on fields hidden by field-level SELECT permissions, restricting access at the table level instead of the field level, or using namespace/database isolation as the primary trust boundary.