Allocation of Resources Without Limits or Throttling Affecting surrealdb-core package, versions <2.0.5>=2.1.0 <2.1.5>=2.2.0 <2.2.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-RUST-SURREALDBCORE-10079741
- published9 May 2025
- disclosed11 Apr 2025
- creditcure53
Introduced: 11 Apr 2025
CVE NOT AVAILABLE CWE-770 (opens in a new tab)How to fix?
Upgrade surrealdb-core to version 2.0.5, 2.1.5, 2.2.2 or higher.
Overview
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the scripting capability. An attacker can launch a series of long-running functions that could potentially overwhelm the server resources by executing embedded JavaScript functions without time limits.
Note:
This vulnerability can only affect SurrealDB servers explicitly enabling the scripting capability with --allow-scripting or
--allow-all and equivalent environment variables SURREAL_CAPS_ALLOW_SCRIPT=true and SURREAL_CAPS_ALLOW_ALL=true.
Workaround
This vulnerability can be mitigated by setting the --deny-scripting flag or the equivalent environment variable SURREAL_CAPS_DENY_SCRIPT=true to deny execution of embedded scripting functions through the configuration of capabilities.