N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-27vq-hv74-7cqp

GHSA-27vq-hv74-7cqp: SurrealDB has Silent Failure to Overwrite Table Definition of Relation Type

The OVERWRITE clause of the DEFINE TABLE statement would fail to overwrite data for tables that were defined with TYPE RELATION. Since table definitions include the PERMISSIONS clause, this failure would result in permissions not being overwritten as a result, which may potentially lead users to believe they have changed the table permissions when they have not.

Impact

If a user attempted to update table permissions of a table defined with TYPE RELATION using DEFINE TABLE ... OVERWRITE, permissions for the table would not be changed. This may allow a client that is authorized to run queries in a SurrealDB server to access certain data in that specific table that they were not intended to be able to access after the specified change in permissions.

Patches

The DEFINE TABLE statement has been updated to appropriately overwrite data for tables defined with TYPE RELATION.

Version 2.1.4 and later are not affected by this issue.

Workarounds

Users of tables with TYPE RELATION that may have been modified using the OVERWRITE clause in order to update permissions are advised to verify that the intended permissions are in place using the INFO FOR DB statement. Affected users who are unable to update and require updating permissions in a table with TYPE RELATION will be required to remove the table and define it from scratch with the intended permissions. Data can be preserved by backing it up to a temporary table.

References

#5260

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-27vq-hv74-7cqp

GHSA-27vq-hv74-7cqp:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
surrealdb	rust	>= 2.0.0, < 2.1.4	2.1.4
surrealdb-core	rust	>= 2.0.0, < 2.1.4	2.1.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incorrect ordering of transaction commits and field updates in table definition operations. Both files show the pattern: 1) In define/table.rs, the vulnerable version called txn.set() before adding relational fields via add_in_out_fields. 2) In alter/table.rs, the same pattern existed with early txn.set(). This meant permission changes in OVERWRITE operations weren't persisted when tables had relations, as the final state with updated permissions wasn't written to storage. The patch fixes this by making add_in_out_fields modify the table definition before committing to storage.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-27vq-hv74-7cqp: SurrealDB has Silent Failure to Overwrite Table Definition of Relation Type

Impact

Patches

Workarounds

References

GHSA-27vq-hv74-7cqp:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

GHSA-27vq-hv74-7cqp: SurrealDB has Silent Failure to Overwrite Table Definition of Relation Type

Impact

Patches

Workarounds

References

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI