GHSA-xx7m-69ff-9crp: SurrealDB vulnerable to Denial of Service through scripting function memory edge case
In SurrealDB instances with the scripting capability enabled (--allow-scripting), users with the ability to run arbitrary queries can trigger a server crash due to a memory-safety bug in the underlying JS engine. The SurrealDB instance terminates instantly, requiring a manual restart.
The query consists of using built-in string functions to construct a large string and passing it to the JavaScript runtime for compilation. The exact string size required to trigger the crash varies between SurrealDB versions.
Whilst exploiting the vulnerability requires users to be able to run arbitrary queries, if guest access (--allow-guests), is enabled, then guests can perform this attack.
References
- github.com/advisories/GHSA-xx7m-69ff-9crp
- github.com/surrealdb/surrealdb
- github.com/surrealdb/surrealdb/commit/2b0389b92398d9ecff4632cd51bbf8303832a988
- github.com/surrealdb/surrealdb/commit/bcd2ece9ef0d721215f06a47280698669f332285
- github.com/surrealdb/surrealdb/pull/6774
- github.com/surrealdb/surrealdb/pull/6833
- github.com/surrealdb/surrealdb/security/advisories/GHSA-xx7m-69ff-9crp
Code Behaviors & Features
Detect and mitigate GHSA-xx7m-69ff-9crp with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →