GHSA-ccj3-5p93-8p42: SurrealDB server-takeover via SurrealQL injection on backup import

The SurrealDB command-line tool allows exporting databases through the export command. It was discovered that table or field names are not properly sanitized in exports, leading to a SurrealQL injection when the backup is reimported.

For the injection to occur, an authenticated System User with OWNER or EDITOR roles needs to create tables or fields with malicious names containing SurrealQL, subsequently exported using the export operation

The attacker could achieve a privilege escalation and root level access to the SurrealDB instance if a higher privileged user subsequently performs the import operation.

Furthermore, applications using SurrealDB that allow its users to define custom fields or tables are at risk of a universal second order SurrealQL injection, even if query parameters are properly sanitized.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53’s preliminary finding is Critical, matched by our CVSS v4 assessment.