GHSA-4V76-CW68-4VC9

GHSA-4V76-CW68-4VC9 is a medium-severity security vulnerability in surrealdb (rust), affecting versions < 3.1.0. It is fixed in 3.1.0.

Summary

A LIVE query whose WHERE clause evaluates to an error caused the source data modifier (the user creating, updating, or deleting a record on the watched table) to fail instead. Calling any arbitrary SurrealQL function with a typed parameter and passing a value of the wrong type, for example LIVE SELECT * FROM t WHERE string::trim(deny), triggered an evaluation error inside the LIVE notification path. That error then propagated through to the triggering write, rolling back the attempted change.

While such a LIVE query was registered, all CREATE, UPDATE, and DELETE operations on the watched table failed, including those issued by a root user, for as long as the registration remained active. Registering the LIVE required select permission on the table; no other permission on the table was needed.

Workarounds

Users unable to upgrade should restrict the ability of untrusted users to register LIVE queries by removing the select permission on tables they want to keep writeable, or by gating LIVE registration at the application layer.

Impact

An authenticated user with select permission on a table can prevent all CREATE, UPDATE, and DELETE operations on that table, by any other user, up to and including root, for the lifetime of a single registered LIVE query. Service is restored when the LIVE query is killed or the session that registered it ends.

GHSA-4V76-CW68-4VC9 has a CVSS score of 6.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.1.0); upgrading removes the vulnerable code path.

Affected versions

surrealdb (< 3.1.0)

Security releases

surrealdb → 3.1.0 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

A patch has been introduced that:

  1. Decouples LIVE query evaluation errors from the source transaction, when lq_check returns an error during the LIVE notification path, the error is now reported to the LIVE subscriber as an Action::Error notification and the LIVE processing path returns Ok(()). The triggering write proceeds normally.
  2. Defers the error notification until after the permission check, the Action::Error notification is only delivered after the LIVE subscription's PERMISSIONS clause has been evaluated, so unauthorised subscribers do not learn even that an error occurred (closing an information-disclosure side channel introduced by the first part of the fix).
  • Versions 3.1.0 and later are not affected by this issue.

Frequently Asked Questions

  1. What is GHSA-4V76-CW68-4VC9? GHSA-4V76-CW68-4VC9 is a medium-severity security vulnerability in surrealdb (rust), affecting versions < 3.1.0. It is fixed in 3.1.0.
  2. How severe is GHSA-4V76-CW68-4VC9? GHSA-4V76-CW68-4VC9 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of surrealdb are affected by GHSA-4V76-CW68-4VC9? surrealdb (rust) versions < 3.1.0 is affected.
  4. Is there a fix for GHSA-4V76-CW68-4VC9? Yes. GHSA-4V76-CW68-4VC9 is fixed in 3.1.0. Upgrade to this version or later.
  5. Is GHSA-4V76-CW68-4VC9 exploitable, and should I be worried? Whether GHSA-4V76-CW68-4VC9 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-4V76-CW68-4VC9 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-4V76-CW68-4VC9? Upgrade surrealdb to 3.1.0 or later.

Other vulnerabilities in surrealdb

Stop the waste.
Protect your environment with Kodem.