GHSA-27vq-hv74-7cqp: SurrealDB has Silent Failure to Overwrite Table Definition of Relation Type

December 16, 2024 (updated October 31, 2025)

The OVERWRITE clause of the DEFINE TABLE statement would fail to overwrite data for tables that were defined with TYPE RELATION. Since table definitions include the PERMISSIONS clause, this failure would result in permissions not being overwritten as a result, which may potentially lead users to believe they have changed the table permissions when they have not.

References

github.com/advisories/GHSA-27vq-hv74-7cqp
github.com/surrealdb/surrealdb
github.com/surrealdb/surrealdb/commit/2f9a58f830c24f107b4783da1f0704a502bc7734
github.com/surrealdb/surrealdb/pull/5260
github.com/surrealdb/surrealdb/security/advisories/GHSA-27vq-hv74-7cqp

Code Behaviors & Features

Detect and mitigate GHSA-27vq-hv74-7cqp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →