GHSA-CCJ3-5P93-8P42

GHSA-CCJ3-5P93-8P42 is a critical-severity command injection vulnerability in surrealdb (rust), affecting versions >= 2.2.0, < 2.2.2. It is fixed in 2.2.2, 2.1.5, 2.0.5.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

SurrealDB server-takeover via SurrealQL injection on backup import

The SurrealDB command-line tool allows exporting databases through the export command. It was discovered that table or field names are not properly sanitized in exports, leading to a SurrealQL injection when the backup is reimported.

For the injection to occur, an authenticated System User with OWNER or EDITOR roles needs to create tables or fields with malicious names containing SurrealQL, subsequently exported using the export operation

The attacker could achieve a privilege escalation and root level access to the SurrealDB instance if a higher privileged user subsequently performs the import operation.

Furthermore, applications using SurrealDB that allow its users to define custom fields or tables are at risk of a universal second order SurrealQL injection, even if query parameters are properly sanitized.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53's preliminary finding is Critical, matched by our CVSS v4 assessment.

Workarounds

For SurrealDB users that are unable to upgrade, users that are looking to perform import operations must manually inspect the exported data for injected statements, prior to importing.

References

SurrealDB Documentation - Export
SurrealDB Documentation - Import
SurrealDB Documentation - Authentication

Impact

This attack can be used to perform privilege escalation and complete takeover (root access) of the SurrealDB instance, as well as being able to perform SurrealQL injection attacks against co-tenanted applications where SurrealDB is used as a shared backend for multiple applications.

Untrusted input is inserted into a command that is later executed by the application, allowing the attacker to alter the intent of that command. Typical impact: arbitrary command execution in the application's environment.

Affected versions

surrealdb (>= 2.2.0, < 2.2.2) surrealdb (>= 2.1.0, < 2.1.5) surrealdb (< 2.0.5)

Security releases

surrealdb → 2.2.2 (rust) surrealdb → 2.1.5 (rust) surrealdb → 2.0.5 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

A patch has been created that addresses the issue by fixing the bugs in the exporter which failed to escape some characters properly.

  • Versions 2.0.5, 2.1.5, 2.2.2 and later are not affected by this issue.

Frequently Asked Questions

  1. What is GHSA-CCJ3-5P93-8P42? GHSA-CCJ3-5P93-8P42 is a critical-severity command injection vulnerability in surrealdb (rust), affecting versions >= 2.2.0, < 2.2.2. It is fixed in 2.2.2, 2.1.5, 2.0.5. Untrusted input is inserted into a command that is later executed by the application, allowing the attacker to alter the intent of that command.
  2. Which versions of surrealdb are affected by GHSA-CCJ3-5P93-8P42? surrealdb (rust) versions >= 2.2.0, < 2.2.2 is affected.
  3. Is there a fix for GHSA-CCJ3-5P93-8P42? Yes. GHSA-CCJ3-5P93-8P42 is fixed in 2.2.2, 2.1.5, 2.0.5. Upgrade to this version or later.
  4. Is GHSA-CCJ3-5P93-8P42 exploitable, and should I be worried? Whether GHSA-CCJ3-5P93-8P42 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-CCJ3-5P93-8P42 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-CCJ3-5P93-8P42?
    • Upgrade surrealdb to 2.2.2 or later
    • Upgrade surrealdb to 2.1.5 or later
    • Upgrade surrealdb to 2.0.5 or later

Other vulnerabilities in surrealdb

Stop the waste.
Protect your environment with Kodem.