Summary
SurrealDB CPU exhaustion via custom functions result in total DoS
SurrealDB allows authenticated users with OWNER or EDITOR permissions at the root, database or namespace levels to define their own database functions using the DEFINE FUNCTION statement
A custom database function comprises a name together with a function body. In the function body, the user programs the functionality of the function in terms of SurrealQL. The language includes a FOR keyword, used to implement for-loops.
Whilst the parser and interpreter constrain the number of iterations for a single for-loop, nesting several for-loops with a large number of iterations is possible. Thus, an attacker could define a function that comprises several nested for-loops with an iteration count of 1.000.000 each.
Executing the function will consume all the CPU time of the server, timeouts configured will not break the CPU consumption, and the function execution monopolizes all CPU time of the SurrealDB server, effectively preventing the server from executing functions, queries, commands of other users, or allowing further connections being established to the server.
Terminating the stuck server requires manual intervention which forces a quit on the server process, as the server application is not responsive any longer.
This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53's preliminary finding is high, matched by our CVSS v4 assessment.
Workarounds
For SurrealDB users that are unable to upgrade, consider setting the --allow-functions and/or --deny-functions options or corresponding SURREAL_CAPS_ALLOW_FUNC and/or SURREAL_CAPS_DENY_FUNC environment variables, documented within capabilities, to either block all custom functions, or only allow trusted functions to execute.
References
SurrealQL Documentation - DEFINE FUNCTION Statement
SurrealQL Documentation - FOR Statement
SurrealDB Documentation - Capabilities
SurrealDB Documentation - Environment variables
#5597
Impact
Denial of Service vulnerability resulting in a stuck SurrealDB server requiring manual restart.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
A patch has been introduced that adds a check in the ForEachStatement that checks if the context has been cancelled or timed out for every iteration.
- Versions 2.0.5, 2.1.5, 2.2.2, and later are not affected by this issue.
Frequently Asked Questions
- What is GHSA-PXW4-94J3-V9PF? GHSA-PXW4-94J3-V9PF is a high-severity security vulnerability in surrealdb (rust), affecting versions >= 2.2.0, < 2.2.2. It is fixed in 2.2.2, 2.1.5, 2.0.5.
- Which versions of surrealdb are affected by GHSA-PXW4-94J3-V9PF? surrealdb (rust) versions >= 2.2.0, < 2.2.2 is affected.
- Is there a fix for GHSA-PXW4-94J3-V9PF? Yes. GHSA-PXW4-94J3-V9PF is fixed in 2.2.2, 2.1.5, 2.0.5. Upgrade to this version or later.
- Is GHSA-PXW4-94J3-V9PF exploitable, and should I be worried? Whether GHSA-PXW4-94J3-V9PF is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-PXW4-94J3-V9PF is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-PXW4-94J3-V9PF?
- Upgrade
surrealdbto 2.2.2 or later - Upgrade
surrealdbto 2.1.5 or later - Upgrade
surrealdbto 2.0.5 or later
- Upgrade