In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade surrealdb to version 3.1.0-beta.3 or higher.
Affected versions of this package are vulnerable to Insufficient Session Expiration in the LIVE SELECT subscription process. An attacker can maintain access to real-time notifications associated with a previous authentication state by continuing to use an existing connection after the session has been revoked, expired, or re-authenticated. This allows the attacker to receive information that should no longer be accessible under the current session's permissions.
This vulnerability can be mitigated by calling reset() to tear down all LIVE queries owned by the session or by using kill on each outstanding live query ID before signing out, signing in as a different identity, or signing up on an existing connection. There is no client-side workaround for the TTL-expiry scenario; deployments concerned about this should restrict DURATION FOR SESSION on access methods that can register LIVE queries.