GHSA-3633-G6MG-P6QQ

GHSA-3633-G6MG-P6QQ is a high-severity security vulnerability in surrealdb (rust), affecting versions >= 2.2.0, < 2.2.2. It is fixed in 2.2.2, 2.1.5, 2.0.5.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

SurrealDB memory exhaustion via string::replace using regex

An authenticated user can craft a query using the string::replace function that uses a Regex to perform a string replacement. As there is a failure to restrict the resulting string length, this enables an attacker to send a string::replace function to the SurrealDB server exhausting all the memory of the server due to string allocations. This eventually results in a Denial-of-Service situation for the SurrealDB server.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53. Using CVSSv4 definitions, the severity is High.

Workarounds

Affected users who are unable to update may want to limit the ability of untrusted clients to run the string::replace function in the affected versions of SurrealDB using the --deny-functions flag described within Capabilities or the equivalent SURREAL_CAPS_DENY_FUNC environment variable.

References

SurrealQL Documentation - DB Functions (string::replace)
SurrealDB Documentation - Capabilities
SurrealDB Documentation - Environment Variables
#5619
#5638

Impact

An authenticated user can crash the SurrealDB instance through memory exhaustion

Affected versions

surrealdb (>= 2.2.0, < 2.2.2) surrealdb (>= 2.1.0, < 2.1.5) surrealdb (< 2.0.5)

Security releases

surrealdb → 2.2.2 (rust) surrealdb → 2.1.5 (rust) surrealdb → 2.0.5 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

A patch has been created that enforces a limit on string length SURREAL_GENERATION_ALLOCATION_LIMIT

  • Versions 2.0.5, 2.1.5, 2.2.2, and later are not affected by this issue

Frequently Asked Questions

  1. What is GHSA-3633-G6MG-P6QQ? GHSA-3633-G6MG-P6QQ is a high-severity security vulnerability in surrealdb (rust), affecting versions >= 2.2.0, < 2.2.2. It is fixed in 2.2.2, 2.1.5, 2.0.5.
  2. Which versions of surrealdb are affected by GHSA-3633-G6MG-P6QQ? surrealdb (rust) versions >= 2.2.0, < 2.2.2 is affected.
  3. Is there a fix for GHSA-3633-G6MG-P6QQ? Yes. GHSA-3633-G6MG-P6QQ is fixed in 2.2.2, 2.1.5, 2.0.5. Upgrade to this version or later.
  4. Is GHSA-3633-G6MG-P6QQ exploitable, and should I be worried? Whether GHSA-3633-G6MG-P6QQ is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-3633-G6MG-P6QQ is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-3633-G6MG-P6QQ?
    • Upgrade surrealdb to 2.2.2 or later
    • Upgrade surrealdb to 2.1.5 or later
    • Upgrade surrealdb to 2.0.5 or later

Other vulnerabilities in surrealdb

Stop the waste.
Protect your environment with Kodem.