N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-3824-qmfq-2qv7

GHSA-3824-qmfq-2qv7: SurrealDB no JavaScript script function default timeout could facilitate DoS

Through enabling the scripting capability. SurrealDB allows for advanced functions with complicated logic, by allowing embedded functions to be written in JavaScript.

These functions are bounded for memory and stack size, but not in time. An attacker could launch a number of long running functions that could potentially facilitate a Denial Of Service attack.

This vulnerability can only affect SurrealDB servers explicitly enabling the scripting capability with --allow-scripting or --allow-all and equivalent environment variables SURREAL_CAPS_ALLOW_SCRIPT=true and SURREAL_CAPS_ALLOW_ALL=true.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53's preliminary finding is Low, matched by our CVSS v4 assessment.

Impact

An attacker can use the scripting capabilities of SurrealDB to run a series of long running functions to facilitate a Denial Of Service attack.

Patches

A default timeout for the scripting functions has been implemented with a configurable SURREAL_SCRIPTING_MAX_TIME_LIMIT environment variable

Versions 2.0.5, 2.1.5, 2.2.2 and later are not affected by this issue.

Workarounds

For users that cannot upgrade. Deny execution of embedded scripting functions through the configuration of capabilities by starting SurrealDB with the --deny-scripting flag or the equivalent environment variable SURREAL_CAPS_DENY_SCRIPT=true. This has a usability implication, although scripting functions are disabled by default.

References

5597 SurrealDB Documentation - Capabilities SurrealQL Documentation - Scripting Functions

()

Miggo Vulnerability Database

→

GHSA-3824-qmfq-2qv7

GHSA-3824-qmfq-2qv7:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
surrealdb	rust	>= 2.2.0, < 2.2.2	2.2.2
surrealdb	rust	< 2.0.5	2.0.5
surrealdb	rust	>= 2.1.0, < 2.1.5	2.1.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description clearly states that SurrealDB's JavaScript script functions lacked a default timeout, potentially leading to a DoS. I analyzed the provided pull request (https://github.com/surrealdb/surrealdb/pull/5597) and its associated commits. The commit fd286b9b3734d44f50b1bfdfdc918b210b438ae1 directly addresses this issue.

In this commit, the file crates/core/src/fnc/script/main.rs contains the run function, which is responsible for executing JavaScript scripts. The diff shows the introduction of a timeout mechanism within this run function: a start time (instant_start) is recorded, a time_limit is established (read from the new SCRIPTING_MAX_TIME_LIMIT configuration), and the interrupt handler for the JavaScript runtime is modified to check if this time limit has been exceeded.

Before this change, the interrupt handler only checked for external cancellation (cancellation.is_done()), meaning a script could run indefinitely if not externally cancelled, thus consuming resources and leading to a DoS. The run function is therefore the direct site of the vulnerability because it's where the unbounded execution occurred. Other changes in the commit, such as those to foreach.rs or HTTP handling, address related but distinct issues (long-running loops in SurrealQL or HTTP redirect limits) rather than the core JavaScript execution timeout vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-3824-qmfq-2qv7: SurrealDB no JavaScript script function default timeout could facilitate DoS

Impact

Patches

Workarounds

References

GHSA-3824-qmfq-2qv7:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Technical Details

Basic Information

Basic Information

GHSA-3824-qmfq-2qv7: SurrealDB no JavaScript script function default timeout could facilitate DoS

Impact

Patches

Workarounds

References

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI