CVE-2025-11060

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-11060

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-11060.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-11060

Aliases

GHSA-7vm2-j586-vcvc

Published

2025-09-26T13:15:41.757Z

Modified

2025-11-16T12:26:03.553704Z

Severity

5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or delete records.

References

Affected packages

Git / github.com/surrealdb/surrealdb

Affected ranges

Type: GIT
Repo: https://github.com/surrealdb/surrealdb
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

d81169a06b89f0c588134ddf2d62eeb8d5e8fd0c

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.10

v0.1.11

v0.1.12

v0.1.13

v0.1.14

v0.1.15

v0.1.16

v0.1.17

v0.1.18

v0.1.19

v0.1.2

v0.1.20

v0.1.21

v0.1.22

v0.1.23

v0.1.24

v0.1.25

v0.1.26

v0.1.27

v0.1.28

v0.1.29

v0.1.3

v0.1.30

v0.1.4

v0.1.5

v0.1.6

v0.1.7

v0.1.8

v0.1.9

v0.3.0

v1.*

v1.0.0

v1.0.0-beta.1

v1.0.0-beta.10

v1.0.0-beta.11

v1.0.0-beta.12

v1.0.0-beta.2

v1.0.0-beta.3

v1.0.0-beta.4

v1.0.0-beta.5

v1.0.0-beta.6

v1.0.0-beta.7

v1.0.0-beta.8

v1.0.0-beta.9

v1.0.0-beta.9+20230402

v2.*

v2.0.0

v2.0.0-alpha.1

v2.0.0-alpha.2

v2.0.0-alpha.3

v2.0.0-alpha.4

v2.0.0-alpha.5

v2.0.0-alpha.6

v2.0.0-alpha.7

v2.0.0-alpha.8

v2.0.0-alpha.9

v2.0.0-beta.1

v2.0.0-beta.2

v2.0.0-beta.3

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.1.0

v2.1.1

v2.1.2

v2.2.0

v3.*

v3.0.0-alpha.2