7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-58j9-j2fj-v8f4

EPSS Score

CWE

Published

1/19/2024

Updated

1/19/2024

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-58j9-j2fj-v8f4

GHSA-58j9-j2fj-v8f4: SurrealDB vulnerable to Uncontrolled CPU Consumption via WebSocket Interface

SurrealDB depends on the tungstenite and tokio-tungstenite crates used by the axum crate, which handles connections to the SurrealDB WebSocket interface. On versions before 0.20.1, the tungstenite crate presented an issue which allowed the parsing of HTTP headers during the client handshake to continuously consume high CPU when the headers were very long. All affected crates have been updated in SurrealDB version 1.1.0.

From the original advisory for CVE-2023-43669: "The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes)."

Impact

A remote unauthenticated attacker may cause a SurrealDB server that exposes its WebSocket interface to consume high CPU by sending an HTTP request with a very long header to the WebSocket interface, potentially leading to denial of service.

Patches

Version 1.1.0 and later are not affected by this issue.

Workarounds

Users unable to update may be able to limit access to the WebSocket interface (i.e. the /rpc endpoint) via reverse proxy if not in use or only used by a limited number of trusted clients. Alternatively, a reverse proxy may be used to strip or truncate request headers exceeding a reasonable length before reaching the SurrealDB server.

References

#2807
https://nvd.nist.gov/vuln/detail/CVE-2023-43669
https://rustsec.org/advisories/RUSTSEC-2023-0065.html
https://github.com/snapview/tungstenite-rs/issues/376

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-58j9-j2fj-v8f4

GHSA-58j9-j2fj-v8f4:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-58j9-j2fj-v8f4

EPSS Score

CWE

Published

1/19/2024

Updated

1/19/2024

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
surrealdb	rust	< 1.1.0	1.1.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from tungstenite's HTTP header processing during WebSocket handshakes. The commit diff shows SurrealDB updated from vulnerable tungstenite versions (<0.20.1) where these functions lacked proper header size validation. The original tungstenite issue (#376) specifically identifies the parsing loop in single_round() and try_parse() as the problem area. These functions repeatedly process oversized headers without early rejection, leading to CPU exhaustion. The functions are in the dependency chain through axum/tokio-tungstenite used by SurrealDB's WebSocket implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-58j9-j2fj-v8f4: SurrealDB vulnerable to Uncontrolled CPU Consumption via WebSocket Interface

Impact

Patches

Workarounds

References

GHSA-58j9-j2fj-v8f4:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-58j9-j2fj-v8f4: SurrealDB vulnerable to Uncontrolled CPU Consumption via WebSocket Interface

Impact

Patches

Workarounds

References

Basic Information

Basic Information

Technical Details

7.5

7.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI