GHSA-CC8F-FCX3-GPJR

GHSA-CC8F-FCX3-GPJR is a high-severity path traversal vulnerability in surrealdb (rust), affecting versions < 3.1.5. It is fixed in 3.1.5.

Summary

SurrealDB's full-text search lets you define a text analyzer whose mapper filter loads a term-mapping file from disk (DEFINE ANALYZER ... FILTERS mapper('<path>')). A database user with the EDITOR or OWNER role could point that filter at any file the SurrealDB process can read and have its content returned in the query's error message.

File access is meant to be restricted by the SURREAL_FILE_ALLOWLIST setting, but an empty allowlist applied no restriction at all, and empty is the default.

Workarounds

Users unable to upgrade are advised to consider the following:

  • Set SURREAL_FILE_ALLOWLIST to a directory that contains only the intended mapping files; this confines the mapper filter to that path. On affected versions the allowlist must be non-empty to have any effect.
  • Grant the EDITOR and OWNER database roles only to trusted principals.
  • Avoid supplying secrets, including the root credentials, on the command line or through environment variables; prefer mounted files with least-privilege permissions.

References

Acknowledgements

Thanks to Jan Kahmen (@kah-ja) for finding and reporting this issue.

Impact

The file is read with the privileges of the SurrealDB process, so a database EDITOR or OWNER user can disclose the contents of any file the process can access. Only the first line of the file is returned, except for files with no newlines.

However recovering the process's command line and environment could expose startup root credentials (--user / --pass) and secret environment variables, escalating a single-database role toward full control of the instance.

The read on the underlying filesystem is bounded by what the SurrealDB process can reach, any file readable by the OS user it runs as, so the impact scales with how the process is run and what is mounted into it.

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

GHSA-CC8F-FCX3-GPJR has a CVSS score of 7.7 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.1.5); upgrading removes the vulnerable code path.

Affected versions

surrealdb (< 3.1.5)

Security releases

surrealdb → 3.1.5 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

A patch has been included in SurrealDB 3.1.5.

File access is now secure by default. check_is_path_allowed denies every path when no SURREAL_FILE_ALLOWLIST is configured, so the mapper filter cannot open any file unless the operator has explicitly allowed its directory. Analyzer parse errors no longer include the contents of the mapped file, only the line number.

Frequently Asked Questions

  1. What is GHSA-CC8F-FCX3-GPJR? GHSA-CC8F-FCX3-GPJR is a high-severity path traversal vulnerability in surrealdb (rust), affecting versions < 3.1.5. It is fixed in 3.1.5. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is GHSA-CC8F-FCX3-GPJR? GHSA-CC8F-FCX3-GPJR has a CVSS score of 7.7 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of surrealdb are affected by GHSA-CC8F-FCX3-GPJR? surrealdb (rust) versions < 3.1.5 is affected.
  4. Is there a fix for GHSA-CC8F-FCX3-GPJR? Yes. GHSA-CC8F-FCX3-GPJR is fixed in 3.1.5. Upgrade to this version or later.
  5. Is GHSA-CC8F-FCX3-GPJR exploitable, and should I be worried? Whether GHSA-CC8F-FCX3-GPJR is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-CC8F-FCX3-GPJR is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-CC8F-FCX3-GPJR? Upgrade surrealdb to 3.1.5 or later.

Other vulnerabilities in surrealdb

Stop the waste.
Protect your environment with Kodem.