GHSA-cc8f-fcx3-gpjr: SurrealDB: Arbitrary file read via DEFINE ANALYZER mapper() filter

June 19, 2026

SurrealDB’s full-text search lets you define a text analyzer whose mapper filter loads a term-mapping file from disk (DEFINE ANALYZER ... FILTERS mapper('<path>')). A database user with the EDITOR or OWNER role could point that filter at any file the SurrealDB process can read and have its content returned in the query’s error message.

File access is meant to be restricted by the SURREAL_FILE_ALLOWLIST setting, but an empty allowlist applied no restriction at all — and empty is the default.

References

github.com/advisories/GHSA-cc8f-fcx3-gpjr
github.com/surrealdb/surrealdb/pull/5600
github.com/surrealdb/surrealdb/security/advisories/GHSA-cc8f-fcx3-gpjr

Code Behaviors & Features

Detect and mitigate GHSA-cc8f-fcx3-gpjr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →