In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade surrealdb-core
to version 2.1.0 or higher.
Affected versions of this package are vulnerable to Uncaught Exception through the ORDER BY rand()
clause. This is only exploitable if the attacker has authorization to run queries on the SurrealDB server.
Users who are unable to upgrade to the fixed version are advised to limit the ability of untrusted clients to run arbitrary SurrealQL queries in the affected versions and ensuring that the SurrealDB process is configured to automatically restart after a crash.