GHSA-JV2J-MQMW-XVV5

GHSA-JV2J-MQMW-XVV5 is a medium-severity security vulnerability in surrealdb (rust), affecting versions >= 3.0.0, < 3.1.5. It is fixed in 3.1.5.

Summary

An authenticated user could crash a SurrealDB server with a single query containing a long chain of operators.

Such a query, for example RETURN 1 + 1 + 1 + ... with tens of thousands of terms, is parsed into an expression tree one level deep per operator. Because the chain is flat and the pratt parser appends to it iteratively, the configured query- and object-recursion limits never fire, so the tree grows unbounded with the length of the query.

The root cause: the over-deep tree is later walked recursively, one call per node, when it is dropped, formatted, or lowered for execution, overflowing the thread stack and aborting the process.

Workarounds

Users unable to patch should consider the following workarounds:

  • Restrict the ability of untrusted users to execute arbitrary queries via the --deny-arbitrary-query capability flag for the affected user classes (guest, record, or system).
  • Restrict untrusted access to the WebSocket /rpc endpoint, which accepts larger request bodies than the HTTP /sql endpoint. The /sql endpoint's 1 MiB body limit lowers the achievable operator depth but does not by itself guarantee the stack cannot be exhausted.
  • Run SurrealDB under an orchestrator or process manager that restarts it automatically on exit (e.g. Kubernetes, systemd Restart=on-failure, or a Docker restart policy), so the server recovers immediately after a crash. This limits downtime from a successful attack but does not prevent the crash.

References

Impact

An authenticated user with query-execution privileges can crash a SurrealDB server with a single query containing a long chain of operators. The whole process aborts, denying service to every namespace and database on that instance until it is restarted. The crash occurs during query processing, before any data is read or written (availability only).

GHSA-JV2J-MQMW-XVV5 has a CVSS score of 6.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.1.5); upgrading removes the vulnerable code path.

Affected versions

surrealdb (>= 3.0.0, < 3.1.5)

Security releases

surrealdb → 3.1.5 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

A patch introduces a dedicated expression-depth budget, expr_recursion_limit, sourced from max_expression_parsing_depth (default 128, configurable via SURREAL_MAX_EXPRESSION_PARSING_DEPTH). It is charged once per pratt-parser level and once per operator appended to the spine, so an over-deep operator chain is rejected with a syntax error instead of building a tree that overflows the stack downstream. Paths that re-parse already-validated stored data are exempted, so existing databases with deep stored expressions still load.

  • Versions 3.1.5 and later are not affected by this issue.

Frequently Asked Questions

  1. What is GHSA-JV2J-MQMW-XVV5? GHSA-JV2J-MQMW-XVV5 is a medium-severity security vulnerability in surrealdb (rust), affecting versions >= 3.0.0, < 3.1.5. It is fixed in 3.1.5.
  2. How severe is GHSA-JV2J-MQMW-XVV5? GHSA-JV2J-MQMW-XVV5 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of surrealdb are affected by GHSA-JV2J-MQMW-XVV5? surrealdb (rust) versions >= 3.0.0, < 3.1.5 is affected.
  4. Is there a fix for GHSA-JV2J-MQMW-XVV5? Yes. GHSA-JV2J-MQMW-XVV5 is fixed in 3.1.5. Upgrade to this version or later.
  5. Is GHSA-JV2J-MQMW-XVV5 exploitable, and should I be worried? Whether GHSA-JV2J-MQMW-XVV5 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-JV2J-MQMW-XVV5 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-JV2J-MQMW-XVV5? Upgrade surrealdb to 3.1.5 or later.

Other vulnerabilities in surrealdb

Stop the waste.
Protect your environment with Kodem.