Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) Affecting surrealdb package, versions <1.5.5 >=2.0.0-beta.1 <2.0.0-beta.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUST-SURREALDB-7932376
- published 12 Sep 2024
- disclosed 11 Sep 2024
- credit Raphael Darley
How to fix?
Upgrade surrealdb to version 1.5.5, 2.0.0-beta.3 or higher.
Overview
Affected versions of this package are vulnerable to Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) via the SIGNIN and SIGNUP operations in the RPC API. An attacker can manipulate the database operations to select, create, update, and delete non-IAM resources with elevated permissions by providing a specially crafted binary object containing a subquery instead of valid credentials. This is only exploitable if a record access method was defined with SIGNIN or SIGNUP queries and the SurrealDB RPC API was exposed to untrusted users.
Workaround
This vulnerability can be mitigated by disallowing access to the SurrealDB RPC API using the affected binary serialization formats by conservatively allowing only requests to the /rpc endpoint of the SurrealDB HTTP server with the application/json content type. Alternatively, record access methods that define SIGNIN and SIGNUP clauses may be temporarily removed to completely prevent potential attacks leveraging this issue.