Summary
A field can be hidden from a user with a field-level SELECT permission (DEFINE FIELD code ON secret PERMISSIONS FOR select WHERE owner = $auth.id). When that field is indexed, a record user who cannot read it could still recover the relative ordering of its values across every record by issuing ORDER BY <field>: the field came back null as intended, but the rows were returned in the hidden values' true sorted order.
To satisfy the sort, the planner selects the field's index and walks it in value order; the field-level permission is applied later, when the row is projected, so the value is nulled but the row order already encodes it. The guard that withholds restricted fields from the WHERE path was never applied to ORDER BY.
Workarounds
Users unable to upgrade are advised to consider the following:
- Force the legacy executor with
SURREAL_PLANNER_STRATEGY=compute-only; the sort then runs after redaction, so no ordering leaks. - Do not place an index on a field whose values are hidden by a field-level SELECT permission, without the index the leak does not occur.
- Do not rely on field-level SELECT permissions to hide values on indexed fields from record users; restrict at the table level instead.
- Use namespace / database isolation as the primary trust boundary where feasible.
References
- SurrealQL Documentation, DEFINE FIELD
- SurrealQL Documentation, DEFINE INDEX
- SurrealQL Documentation, DEFINE TABLE … PERMISSIONS
- Related advisory (same class, indexed COUNT variant): GHSA-c8jx-96c9-8xrp
fix(planner): prevent ORDER BY value-ordering oracle on restricted SELECT fieldsfix(planner): close ORDER BY value-ordering oracle on the DynamicScan fallback
Acknowledgements
Thanks to George Chen (@geo-chen) for finding and reporting this issue.
Impact
What an attacker can do:
- As a record (scope) user with table SELECT, learn the relative ordering of a field hidden by a field-level SELECT permission, across other users' records, by ordering on it when an index covers the field, the value returns
null, but the rows come back in the hidden values' order. - With rows they control in the same table, use that ordering to narrow the hidden values toward exact ones.
What it can't do:
- Read the field value directly, only its relative ordering leaks; the projected value is correctly redacted.
- Cross table, record, or namespace/database boundaries, the table's SELECT permission and any row-level
WHEREare still enforced, so only records the caller may already read are ordered. - Leak anything when the restricted field is not indexed, affect root or record-owner sessions, or modify data (confidentiality only).
GHSA-H4H3-3RFJ-X6FQ has a CVSS score of 4.3 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.1.5); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The query planner now applies the field-permission guard to the ORDER BY clause as well as the WHERE clause. When an ordered field is hidden from the caller by a field-level SELECT permission, the index sort pushdown is withheld and the rows are sorted after redaction instead, so the row order no longer reflects the hidden values. The dynamic-scan fallback is closed the same way, and a regression test was added.
The fix is included in SurrealDB 3.1.5.
Frequently Asked Questions
- What is GHSA-H4H3-3RFJ-X6FQ? GHSA-H4H3-3RFJ-X6FQ is a medium-severity security vulnerability in surrealdb (rust), affecting versions >= 3.0.0, < 3.1.5. It is fixed in 3.1.5.
- How severe is GHSA-H4H3-3RFJ-X6FQ? GHSA-H4H3-3RFJ-X6FQ has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of surrealdb are affected by GHSA-H4H3-3RFJ-X6FQ? surrealdb (rust) versions >= 3.0.0, < 3.1.5 is affected.
- Is there a fix for GHSA-H4H3-3RFJ-X6FQ? Yes. GHSA-H4H3-3RFJ-X6FQ is fixed in 3.1.5. Upgrade to this version or later.
- Is GHSA-H4H3-3RFJ-X6FQ exploitable, and should I be worried? Whether GHSA-H4H3-3RFJ-X6FQ is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-H4H3-3RFJ-X6FQ is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-H4H3-3RFJ-X6FQ? Upgrade
surrealdbto 3.1.5 or later.