Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) Affecting surrealdb package, versions <1.5.5>=2.0.0-beta.1 <2.0.0-beta.3


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-SURREALDB-7932376
  • published12 Sept 2024
  • disclosed11 Sept 2024
  • creditRaphael Darley

Introduced: 11 Sep 2024

CVE NOT AVAILABLE CWE-75  (opens in a new tab)

How to fix?

Upgrade surrealdb to version 1.5.5, 2.0.0-beta.3 or higher.

Overview

Affected versions of this package are vulnerable to Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) via the SIGNIN and SIGNUP operations in the RPC API. An attacker can manipulate the database operations to select, create, update, and delete non-IAM resources with elevated permissions by providing a specially crafted binary object containing a subquery instead of valid credentials. This is only exploitable if a record access method was defined with SIGNIN or SIGNUP queries and the SurrealDB RPC API was exposed to untrusted users.

Workaround

This vulnerability can be mitigated by disallowing access to the SurrealDB RPC API using the affected binary serialization formats by conservatively allowing only requests to the /rpc endpoint of the SurrealDB HTTP server with the application/json content type. Alternatively, record access methods that define SIGNIN and SIGNUP clauses may be temporarily removed to completely prevent potential attacks leveraging this issue.

CVSS Scores

version 4.0
version 3.1