GHSA-2cvj-g5r5-jrrg: SurrealDB has local file read of 2-column TSV files via analyzers

April 10, 2025

An authenticated system user at the root, namespace, or database levels can use the DEFINE ANALYZER statement to point to arbitrary file locations on the file system, and should the file be tab separated with two columns, the analyzer can be leveraged to exfiltrate the content.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53’s preliminary finding is Low, matched by our CVSS v4 assessment.

References

github.com/advisories/GHSA-2cvj-g5r5-jrrg
github.com/surrealdb/surrealdb
github.com/surrealdb/surrealdb/pull/5600
github.com/surrealdb/surrealdb/security/advisories/GHSA-2cvj-g5r5-jrrg

Code Behaviors & Features

Detect and mitigate GHSA-2cvj-g5r5-jrrg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →