Summary
An authenticated user could bypass permission rules that gated access on parts of a record's id, most commonly tenant-isolation rules of the form PERMISSIONS FOR select WHERE id.tenant = $auth.id.tenant. The same defect also let UNIQUE constraints defined on parts of an id admit duplicate entries.
When a query referenced part of a composite record id (id.tenant, id.uid, …), SurrealDB read the value from the record's editable body fields instead of from the immutable id key. Because the body is editable but the id is fixed at creation, an attacker with write access could set the body field to any value and have permission checks read that spoofed value.
Workarounds
Users unable to patch are advised to consider the following workarounds:
- Avoid permission expressions that read
id.<field>on Object-keyed record ids; gate on the full record id (id = $auth.id) or on a server-derived session value instead. - Avoid UNIQUE indexes on
id.<field>until 3.1.0; useDEFINE INDEX ... ON FIELDS id UNIQUE(the full id) where possible.
Impact
What an attacker can do:
- Read records hidden by permission rules of the form
id.<field> = $auth.<...>(typically tenant- or scope-isolation boundaries) by writing the same-named field on a record they control to the spoofed value. - Cause UNIQUE constraints defined on
id.<field>to silently admit duplicate entries, leaving the database with rows that violate the constraint.
What it can't do:
- Cross namespace or database isolation boundaries.
-Bypass field-levelPERMISSIONS FORupdate clauses that don't referenceid.<field>paths. - Affect availability or crash the server.
The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.
GHSA-6VG3-HGRW-P5GF has a CVSS score of 5.4 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.1.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The value-path resolver now special-cases Part::Field and Part::Value against RecordIdKey::Object, reading the named component directly from the id key without ever entering select_document. The Array-keyed special case (id[0], id[1], …) is unchanged.
- Versions 3.1.0 and later are not affected.
Frequently Asked Questions
- What is GHSA-6VG3-HGRW-P5GF? GHSA-6VG3-HGRW-P5GF is a medium-severity incorrect authorization vulnerability in surrealdb (rust), affecting versions < 3.1.0. It is fixed in 3.1.0. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
- How severe is GHSA-6VG3-HGRW-P5GF? GHSA-6VG3-HGRW-P5GF has a CVSS score of 5.4 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of surrealdb are affected by GHSA-6VG3-HGRW-P5GF? surrealdb (rust) versions < 3.1.0 is affected.
- Is there a fix for GHSA-6VG3-HGRW-P5GF? Yes. GHSA-6VG3-HGRW-P5GF is fixed in 3.1.0. Upgrade to this version or later.
- Is GHSA-6VG3-HGRW-P5GF exploitable, and should I be worried? Whether GHSA-6VG3-HGRW-P5GF is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-6VG3-HGRW-P5GF is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-6VG3-HGRW-P5GF? Upgrade
surrealdbto 3.1.0 or later.