GHSA-58j9-j2fj-v8f4: SurrealDB vulnerable to Uncontrolled CPU Consumption via WebSocket Interface
SurrealDB depends on the tungstenite and tokio-tungstenite crates used by the axum crate, which handles connections to the SurrealDB WebSocket interface. On versions before 0.20.1, the tungstenite crate presented an issue which allowed the parsing of HTTP headers during the client handshake to continuously consume high CPU when the headers were very long. All affected crates have been updated in SurrealDB version 1.1.0.
From the original advisory for CVE-2023-43669: “The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes).”
References
- github.com/advisories/GHSA-58j9-j2fj-v8f4
- github.com/snapview/tungstenite-rs/issues/376
- github.com/surrealdb/surrealdb
- github.com/surrealdb/surrealdb/commit/87859158d3750b03564613de70b5ec4ae090549d
- github.com/surrealdb/surrealdb/pull/2807
- github.com/surrealdb/surrealdb/security/advisories/GHSA-58j9-j2fj-v8f4
- nvd.nist.gov/vuln/detail/CVE-2023-43669
- rustsec.org/advisories/RUSTSEC-2023-0065.html
Detect and mitigate GHSA-58j9-j2fj-v8f4 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →