Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-3633-g6mg-p6qq: SurrealDB memory exhaustion via string::replace using regex

An authenticated user can craft a query using the string::replace function that uses a Regex to perform a string replacement. As there is a failure to restrict the resulting string length, this enables an attacker to send a string::replace function to the SurrealDB server exhausting all the memory of the server due to string allocations. This eventually results in a Denial-of-Service situation for the SurrealDB server.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53. Using CVSSv4 definitions, the severity is High.

Impact

An authenticated user can crash the SurrealDB instance through memory exhaustion

Patches

A patch has been created that enforces a limit on string length SURREAL_GENERATION_ALLOCATION_LIMIT

  • Versions 2.0.5, 2.1.5, 2.2.2, and later are not affected by this issue

Workarounds

Affected users who are unable to update may want to limit the ability of untrusted clients to run the string::replace function in the affected versions of SurrealDB using the --deny-functions flag described within Capabilities or the equivalent SURREAL_CAPS_DENY_FUNC environment variable.

References

SurrealQL Documentation - DB Functions (string::replace) SurrealDB Documentation - Capabilities SurrealDB Documentation - Environment Variables #5619 #5638

ghsa
Open in Source
#dos#git#auth

An authenticated user can craft a query using the string::replace function that uses a Regex to perform a string replacement. As there is a failure to restrict the resulting string length, this enables an attacker to send a string::replace function to the SurrealDB server exhausting all the memory of the server due to string allocations. This eventually results in a Denial-of-Service situation for the SurrealDB server.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53. Using CVSSv4 definitions, the severity is High.

Impact

An authenticated user can crash the SurrealDB instance through memory exhaustion

Patches

A patch has been created that enforces a limit on string length SURREAL_GENERATION_ALLOCATION_LIMIT

  • Versions 2.0.5, 2.1.5, 2.2.2, and later are not affected by this issue

Workarounds

Affected users who are unable to update may want to limit the ability of untrusted clients to run the string::replace function in the affected versions of SurrealDB using the --deny-functions flag described within Capabilities or the equivalent SURREAL_CAPS_DENY_FUNC environment variable.

References

SurrealQL Documentation - DB Functions (string::replace)
SurrealDB Documentation - Capabilities
SurrealDB Documentation - Environment Variables
#5619
#5638

References

  • GHSA-3633-g6mg-p6qq
  • surrealdb/surrealdb#5619
  • surrealdb/surrealdb#5638

ghsa: Latest News

GHSA-8qff-qr5q-5pr8: OpenPGP.js's message signature verification can be spoofed
ghsa