Uncontrolled Recursion Affecting surrealdb-core package, versions <2.0.5>=2.1.0 <2.1.5>=2.2.0 <2.2.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-SURREALDBCORE-10074178
- published9 May 2025
- disclosed10 Apr 2025
- creditcure53
Introduced: 10 Apr 2025
CVE NOT AVAILABLE CWE-674 (opens in a new tab)How to fix?
Upgrade surrealdb-core to version 2.0.5, 2.1.5, 2.2.2 or higher.
Overview
Affected versions of this package are vulnerable to Uncontrolled Recursion due to the improper handling of nested function calls in scripting environments. An attacker can exhaust system memory and cause a denial of service by creating recursive queries that bypass the recursion limit.
Note:
This is only exploitable if the SurrealDB server has scripting capabilities explicitly enabled with --allow-scripting or --allow-all and the environment variables SURREAL_CAPS_ALLOW_SCRIPT=true and SURREAL_CAPS_ALLOW_ALL=true.
Workaround
This vulnerability can be mitigated by denying the execution of embedded scripting functions through the configuration of capabilities by starting SurrealDB with the --deny-scripting flag or the equivalent environment variable SURREAL_CAPS_DENY_SCRIPT=true.