N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-7vm2-j586-vcvc

EPSS Score

CWE

CWE-863

Published

9/11/2025

Updated

9/11/2025

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-7vm2-j586-vcvc

GHSA-7vm2-j586-vcvc: SurrealDB is Vulnerable to Unauthorized Data Exposure via LIVE Query Subscriptions

LIVE SELECT statements are used to capture changes to data within a table in real time. Documents included in WHERE conditions and DELETE notifications were not properly reduced to respect the querying user's security context. Instead the leaked documents reflect the context of the user triggering the notification.

This allows a record or guest user with permissions to run live query subscriptions on a table to observe unauthorised records within the same table, when another user is altering or deleting these records, bypassing access controls.

Impact

A record or guest user with permissions to run live query subscriptions on a table is able to observe unauthorised records within the same table, with unauthorised records returned when deleted, or when records matching the WHERE conditions are created, updated, or deleted, by another user. This impacts confidentiality, limited to the table the attacker has access to, and with the data disclosed dependent of the actions taken by other users.

Patches

A patch has been created for the following versions:

Versions 2.1.9, 2.2.8 and 2.3.8 and later are not affected by this issue.
The first release following v3.0.0-alpha.7 will be patched.

Workarounds

Assess the impact of users with permissions on table records effectively having full read access to the table, use separate tables if required, with impacts to functionality.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-7vm2-j586-vcvc

GHSA-7vm2-j586-vcvc:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-7vm2-j586-vcvc

EPSS Score

CWE

CWE-863

Published

9/11/2025

Updated

9/11/2025

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
SurrealDB	rust	>= 2.3.0, < 2.3.8	2.3.8
SurrealDB	rust	>= 2.2.0, < 2.2.8	2.2.8
SurrealDB	rust

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, GHSA-7vm2-j586-vcvc, allows unauthorized data exposure in SurrealDB's LIVE SELECT queries. The root cause is that the system failed to apply the security permissions of the live query subscriber when generating data notifications. Instead, it used the permissions of the user who triggered the data change, leading to a classic confused deputy problem where a less-privileged user could see data they were not authorized to access.

The analysis of the patch commit d81169a06b89f0c588134ddf2d62eeb8d5e8fd0c reveals that the core logic for handling live query notifications was flawed. The function Document::lq_process was identified as the primary vulnerable function. It was responsible for processing the notifications but did so on the complete, un-redacted data. The fix involves introducing a call to compute_reduced_target within lq_process to explicitly reduce the document according to the subscriber's permissions before any data is sent.

Additionally, the Document::pluck function was complicit in the vulnerability. It was incorrectly used to generate the payload for live queries, using the wrong security context. The patch corrects this by removing the live query handling logic from pluck and introducing a new dedicated function, lq_pluck, ensuring that live query data is handled separately and securely.

An engineer with this CVE in their environment should understand that any user with permission to run LIVE SELECT on a table could potentially access all data in that table, bypassing any row-level or field-level security policies. Patching is critical to prevent this confidentiality breach.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-7vm2-j586-vcvc: SurrealDB is Vulnerable to Unauthorized Data Exposure via LIVE Query Subscriptions

Impact

Patches

Workarounds

GHSA-7vm2-j586-vcvc:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

GHSA-7vm2-j586-vcvc: SurrealDB is Vulnerable to Unauthorized Data Exposure via LIVE Query Subscriptions

Impact

Patches

Workarounds

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI