Insufficient Session Expiration Affecting surrealdb package, versions <3.1.0-beta.3


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-SURREALDB-17797682
  • published2 Jul 2026
  • disclosed1 Jul 2026
  • creditUnknown

Introduced: 1 Jul 2026

New CVE NOT AVAILABLE CWE-613  (opens in a new tab)

How to fix?

Upgrade surrealdb to version 3.1.0-beta.3 or higher.

Overview

Affected versions of this package are vulnerable to Insufficient Session Expiration in the LIVE SELECT subscription process. An attacker can maintain access to real-time notifications associated with a previous authentication state by continuing to use an existing connection after the session has been revoked, expired, or re-authenticated. This allows the attacker to receive information that should no longer be accessible under the current session's permissions.

Workaround

This vulnerability can be mitigated by calling reset() to tear down all LIVE queries owned by the session or by using kill on each outstanding live query ID before signing out, signing in as a different identity, or signing up on an existing connection. There is no client-side workaround for the TTL-expiry scenario; deployments concerned about this should restrict DURATION FOR SESSION on access methods that can register LIVE queries.

CVSS Base Scores

version 4.0
version 3.1