GHSA-3633-g6mg-p6qq: SurrealDB memory exhaustion via string::replace using regex

April 11, 2025

An authenticated user can craft a query using the string::replace function that uses a Regex to perform a string replacement. As there is a failure to restrict the resulting string length, this enables an attacker to send a string::replace function to the SurrealDB server exhausting all the memory of the server due to string allocations. This eventually results in a Denial-of-Service situation for the SurrealDB server.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53. Using CVSSv4 definitions, the severity is High.

References

github.com/advisories/GHSA-3633-g6mg-p6qq
github.com/surrealdb/surrealdb
github.com/surrealdb/surrealdb/pull/5619
github.com/surrealdb/surrealdb/pull/5638
github.com/surrealdb/surrealdb/security/advisories/GHSA-3633-g6mg-p6qq

Code Behaviors & Features

Detect and mitigate GHSA-3633-g6mg-p6qq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →