Summary
SurrealDB vulnerable to Denial of Service through scripting function memory edge case
In SurrealDB instances with the scripting capability enabled (--allow-scripting), users with the ability to run arbitrary queries can trigger a server crash due to a memory-safety bug in the underlying JS engine. The SurrealDB instance terminates instantly, requiring a manual restart.
The query consists of using built-in string functions to construct a large string and passing it to the JavaScript runtime for compilation. The exact string size required to trigger the crash varies between SurrealDB versions.
Whilst exploiting the vulnerability requires users to be able to run arbitrary queries, if guest access (--allow-guests), is enabled, then guests can perform this attack.
Workarounds
Deny execution of embedded scripting functions through the configuration of capabilities by starting SurrealDB with the --deny-scripting flag or the equivalent environment variable SURREAL_CAPS_DENY_SCRIPT=true. This has a usability implication, although scripting functions are disabled by default.
Administrators can also use --deny-arbitrary-query to deny arbitrary querying by either guest, record or system users, or a combination of those, with impacts to functionality for those users.
Links
SurrealDB Documentation - Capabilities
SurrealDB Documentation - Guest Access
SurrealQL Documentation - Scripting Functions
quickjs-ng v0.9 Release Notes
https://github.com/surrealdb/surrealdb/pull/6833
https://github.com/surrealdb/surrealdb/pull/6774
Impact
Any user able to execute queries on a SurrealDB instance with scripting enabled (--allow-scripting) can cause complete denial of service. The server process terminates immediately without graceful shutdown.
The underlying cause of the vulnerability is a null pointer dereference in the QuickJS-NG v0.8 JavaScript engine, this vulnerability cannot be exploited to execute arbitrary code, or compromise the integrity or confidentiality of data.
The application dereferences a null pointer, causing a crash. Typical impact: denial of service via crash.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Versions prior to SurrealDB v2.6.1 and v3.0.0-beta.3 are vulnerable.
The patches for SurrealDB v2.6.1 and v3.0.0-beta.3 update the rquickjs dependency from v0.9.0 to v0.11.0, which in turn uses an updated version of QuickJS-NG.
Frequently Asked Questions
- What is GHSA-XX7M-69FF-9CRP? GHSA-XX7M-69FF-9CRP is a medium-severity null pointer dereference vulnerability in surrealdb (rust), affecting versions < 2.6.1. It is fixed in 2.6.1, 3.0.0-beta.3. The application dereferences a null pointer, causing a crash.
- Which versions of surrealdb are affected by GHSA-XX7M-69FF-9CRP? surrealdb (rust) versions < 2.6.1 is affected.
- Is there a fix for GHSA-XX7M-69FF-9CRP? Yes. GHSA-XX7M-69FF-9CRP is fixed in 2.6.1, 3.0.0-beta.3. Upgrade to this version or later.
- Is GHSA-XX7M-69FF-9CRP exploitable, and should I be worried? Whether GHSA-XX7M-69FF-9CRP is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-XX7M-69FF-9CRP is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-XX7M-69FF-9CRP?
- Upgrade
surrealdbto 2.6.1 or later - Upgrade
surrealdbto 3.0.0-beta.3 or later
- Upgrade