GHSA-rq86-9m6r-cm3g: SurrealDB has uncaught exception in Net module that leads to database crash

April 10, 2025

A vulnerability was found where an attacker can crash the database via crafting a HTTP query that returns a null byte. The problem relies on an uncaught exception in the net module, where the result of the query will be converted to JSON before showing as the HTTP response to the user in the /sql endpoint.

References

github.com/advisories/GHSA-rq86-9m6r-cm3g
github.com/surrealdb/surrealdb
github.com/surrealdb/surrealdb/pull/5647
github.com/surrealdb/surrealdb/security/advisories/GHSA-rq86-9m6r-cm3g

Code Behaviors & Features

Detect and mitigate GHSA-rq86-9m6r-cm3g with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →