GHSA-98FX-66CF-FC7C

GHSA-98FX-66CF-FC7C is a medium-severity incorrect authorization vulnerability in surrealdb (rust), affecting versions < 3.1.0. It is fixed in 3.1.0.

Summary

A vulnerability was discovered where the user-supplied WHERE clause in a SELECT statement is evaluated against the full record data before PERMISSIONS FOR SELECT WHERE determines whether the principal is authorised to access that record. A side-effecting expression in the WHERE clause can exfiltrate record contents before the permission check runs. The same ordering bug affects the SET, MERGE, CONTENT and PATCH clauses of update-variant statements (UPDATE, UPSERT-update, INSERT ON DUPLICATE KEY UPDATE, RELATE-update).

This vulnerability is confined to the attacker's current database. It does not cross namespace or database isolation boundaries.

Workarounds

Affected users who are unable to update may want to:

  • Disable scripting functions if not required, remove the -A / --allow-scripting flag. This blocks the most direct exfiltration method but does not fully mitigate the vulnerability, as THROW-based and timing-based exfiltration remain possible.
  • Limit query access, restrict the ability of untrusted principals to run arbitrary SELECT queries with user-controlled WHERE clauses.
  • Use namespace/database isolation instead of table-level permissions as the primary security boundary where feasible, since the vulnerability is in table-level permission enforcement, not namespace or database isolation.

Impact

An authenticated user, including Record and Scope users, can read the full contents of any table in the database they are authenticated against, bypassing PERMISSIONS FOR SELECT WHERE restrictions on those tables.

The most direct exfiltration method requires scripting functions to be enabled (--allow-scripting / -A). However, exfiltration via SurrealQL's THROW statement is also feasible without scripting functions, and timing-based side-channel extraction is possible in all configurations.

All tables within the attacker's current database, regardless of table-level PERMISSIONS FOR SELECT WHERE restrictions on those tables, are vulnerable to this attack. Tables in other databases within the same namespace, or within other namespaces, are not vulnerable.

The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.

GHSA-98FX-66CF-FC7C has a CVSS score of 6.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.1.0); upgrading removes the vulnerable code path.

Affected versions

surrealdb (< 3.1.0)

Security releases

surrealdb → 3.1.0 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

A patch has been introduced that runs check_permissions_table before any user-supplied expression is evaluated against the record. A new check_pre_update helper centralises this ordering on every update-variant code path. Regression tests covering WHERE, SET, MERGE, CONTENT, INSERT ON DUPLICATE KEY UPDATE, and RELATE with THROW side-effects are included.

  • Versions 3.1.0 and later are not affected by this issue.

Frequently Asked Questions

  1. What is GHSA-98FX-66CF-FC7C? GHSA-98FX-66CF-FC7C is a medium-severity incorrect authorization vulnerability in surrealdb (rust), affecting versions < 3.1.0. It is fixed in 3.1.0. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
  2. How severe is GHSA-98FX-66CF-FC7C? GHSA-98FX-66CF-FC7C has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of surrealdb are affected by GHSA-98FX-66CF-FC7C? surrealdb (rust) versions < 3.1.0 is affected.
  4. Is there a fix for GHSA-98FX-66CF-FC7C? Yes. GHSA-98FX-66CF-FC7C is fixed in 3.1.0. Upgrade to this version or later.
  5. Is GHSA-98FX-66CF-FC7C exploitable, and should I be worried? Whether GHSA-98FX-66CF-FC7C is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-98FX-66CF-FC7C is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-98FX-66CF-FC7C? Upgrade surrealdb to 3.1.0 or later.

Other vulnerabilities in surrealdb

Stop the waste.
Protect your environment with Kodem.