Infinite loop Affecting surrealdb-core package, versions <2.0.5>=2.1.0 <2.1.5>=2.2.0 <2.2.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-SURREALDBCORE-10079740
- published9 May 2025
- disclosed11 Apr 2025
- creditcure53
Introduced: 11 Apr 2025
CVE NOT AVAILABLE CWE-835 (opens in a new tab)How to fix?
Upgrade surrealdb-core to version 2.0.5, 2.1.5, 2.2.2 or higher.
Overview
Affected versions of this package are vulnerable to Infinite loop through the DEFINE FUNCTION statement. An attacker can monopolize the server's CPU resources by defining and executing a custom function with deeply nested FOR loops, each with a high iteration count. This results in the server being unable to process other requests or establish new connections, requiring a manual restart to recover.
Note:
This is only exploitable if the attacker has authenticated access with OWNER or EDITOR permissions at the root, database or namespace levels to define their own database functions.
Workaround
This vulnerability can be mitigated by setting the --allow-functions and/or --deny-functions options or corresponding SURREAL_CAPS_ALLOW_FUNC and/or SURREAL_CAPS_DENY_FUNC environment variables, to either block all custom functions, or only allow trusted functions to execute.