GHSA-4m82-p8cx-f94j: SurrealDB: LIVE query subscriptions survive session state changes, bypassing access controls
A LIVE SELECT subscription records the user’s auth state ($auth, $token, $session, $access) when it is registered, and the server uses that recorded state to evaluate the table- and row-level PERMISSIONS clauses for every subsequent notification. The recorded state is never refreshed.
When something changes the user’s effective auth state — the originating session is invalidated, the session’s TTL expires, or the user signs in, signs up, or authenticates as a different identity on the same connection — the subscription keeps delivering notifications under the old, stale auth state, and the PERMISSIONS that should now apply to the connection are never consulted.
References
Code Behaviors & Features
Detect and mitigate GHSA-4m82-p8cx-f94j with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →