N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-pxw4-94j3-v9pf

EPSS Score

CWE

CWE-835

Published

4/11/2025

Updated

4/11/2025

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-pxw4-94j3-v9pf

GHSA-pxw4-94j3-v9pf: SurrealDB CPU exhaustion via custom functions result in total DoS

SurrealDB allows authenticated users with OWNER or EDITOR permissions at the root, database or namespace levels to define their own database functions using the DEFINE FUNCTION statement

A custom database function comprises a name together with a function body. In the function body, the user programs the functionality of the function in terms of SurrealQL. The language includes a FOR keyword, used to implement for-loops.

Whilst the parser and interpreter constrain the number of iterations for a single for-loop, nesting several for-loops with a large number of iterations is possible. Thus, an attacker could define a function that comprises several nested for-loops with an iteration count of 1.000.000 each.

Executing the function will consume all the CPU time of the server, timeouts configured will not break the CPU consumption, and the function execution monopolizes all CPU time of the SurrealDB server, effectively preventing the server from executing functions, queries, commands of other users, or allowing further connections being established to the server.

Terminating the stuck server requires manual intervention which forces a quit on the server process, as the server application is not responsive any longer.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53's preliminary finding is high, matched by our CVSS v4 assessment.

Impact

Denial of Service vulnerability resulting in a stuck SurrealDB server requiring manual restart.

Patches

A patch has been introduced that adds a check in the ForEachStatement that checks if the context has been cancelled or timed out for every iteration.

Versions 2.0.5, 2.1.5, 2.2.2, and later are not affected by this issue.

Workarounds

For SurrealDB users that are unable to upgrade, consider setting the --allow-functions and/or --deny-functions options or corresponding SURREAL_CAPS_ALLOW_FUNC and/or SURREAL_CAPS_DENY_FUNC environment variables, documented within capabilities, to either block all custom functions, or only allow trusted functions to execute.

References

SurrealQL Documentation - DEFINE FUNCTION Statement SurrealQL Documentation - FOR Statement SurrealDB Documentation - Capabilities SurrealDB Documentation - Environment variables #5597

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-pxw4-94j3-v9pf

EPSS Score

CWE

CWE-835

Published

4/11/2025

Updated

4/11/2025

KEV Status

Technology

Rust

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
surrealdb	rust	>= 2.2.0, < 2.2.2	2.2.2
surrealdb	rust	>= 2.1.0, < 2.1.5	2.1.5
surrealdb	rust	< 2.0.5	2.0.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability describes a CPU exhaustion issue due to nested FOR loops in custom SurrealDB functions. The primary patch location, as stated in the vulnerability description ('A patch has been introduced that adds a check in the ForEachStatement'), points directly to the process method within ForEachStatement. Analysis of commit fd286b9b3734d44f50b1bfdfdc918b210b438ae1 confirms that crates/core/src/sql/statements/foreach.rs was modified to add timeout and cooperative yielding checks within the loop of the ForEachStatement::process method. This function is therefore directly vulnerable as it contained the flawed loop execution logic. Additionally, the fnc::script::main::run function, which is responsible for executing these custom functions (scripts), was also patched in the same commit to include a general script execution timeout. This function processes the malicious input (the script) and, before its own patch, would have allowed the script to run for an extended period if the underlying ForEachStatement didn't yield. Thus, it's also considered relevant, though the root of the loop exhaustion is in ForEachStatement::process.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Surr**l** *llows *ut**nti**t** us*rs wit* `OWN*R` or `**ITOR` p*rmissions *t t** root, **t***s* or n*m*sp*** l*v*ls to ***in* t**ir own **t***s* *un*tions usin* t** `***IN* *UN*TION` st*t*m*nt * *ustom **t***s* *un*tion *ompris*s * n*m* to**t**r wit

Reasoning

T** vuln*r**ility **s*ri**s * *PU *x**ustion issu* *u* to n*st** `*OR` loops in *ustom Surr**l** *un*tions. T** prim*ry p*t** lo**tion, *s st*t** in t** vuln*r**ility **s*ription ('* p*t** **s ***n intro*u*** t**t ***s * ****k in t** `*or****St*t*m*n

N/A

Basic Information

Concerned about an active attack path?

GHSA-pxw4-94j3-v9pf: SurrealDB CPU exhaustion via custom functions result in total DoS

Impact

Patches

Workarounds

References

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI