GHSA-xx7m-69ff-9crp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xx7m-69ff-9crp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-xx7m-69ff-9crp/GHSA-xx7m-69ff-9crp.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-xx7m-69ff-9crp
- Published
- 2026-02-12T22:11:48Z
- Modified
- 2026-02-12T22:20:28.077776Z
- Severity
-
- 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- SurrealDB vulnerable to Denial of Service through scripting function memory edge case
- Details
-
In SurrealDB instances with the scripting capability enabled (
--allow-scripting), users with the ability to run arbitrary queries can trigger a server crash due to a memory-safety bug in the underlying JS engine. The SurrealDB instance terminates instantly, requiring a manual restart.The query consists of using built-in string functions to construct a large string and passing it to the JavaScript runtime for compilation. The exact string size required to trigger the crash varies between SurrealDB versions.
Whilst exploiting the vulnerability requires users to be able to run arbitrary queries, if guest access (
--allow-guests), is enabled, then guests can perform this attack.Impact
Any user able to execute queries on a SurrealDB instance with scripting enabled (
--allow-scripting) can cause complete denial of service. The server process terminates immediately without graceful shutdown.The underlying cause of the vulnerability is a null pointer dereference in the
QuickJS-NGv0.8 JavaScript engine, this vulnerability cannot be exploited to execute arbitrary code, or compromise the integrity or confidentiality of data.Patches
Versions prior to SurrealDB
v2.6.1andv3.0.0-beta.3are vulnerable.The patches for SurrealDB
v2.6.1andv3.0.0-beta.3update therquickjsdependency fromv0.9.0tov0.11.0, which in turn uses an updated version ofQuickJS-NG.Workarounds
Deny execution of embedded scripting functions through the configuration of capabilities by starting SurrealDB with the
--deny-scriptingflag or the equivalent environment variableSURREAL_CAPS_DENY_SCRIPT=true. This has a usability implication, although scripting functions are disabled by default.Administrators can also use
--deny-arbitrary-queryto deny arbitrary querying by eitherguest,recordorsystemusers, or a combination of those, with impacts to functionality for those users.Links
SurrealDB Documentation - Capabilities SurrealDB Documentation - Guest Access SurrealQL Documentation - Scripting Functions quickjs-ng v0.9 Release Notes https://github.com/surrealdb/surrealdb/pull/6833 https://github.com/surrealdb/surrealdb/pull/6774
- Database specific
{ "nvd_published_at": null, "github_reviewed": true, "cwe_ids": [ "CWE-476" ], "github_reviewed_at": "2026-02-12T22:11:48Z", "severity": "MODERATE" }- References
-
- https://github.com/surrealdb/surrealdb/security/advisories/GHSA-xx7m-69ff-9crp
- https://github.com/surrealdb/surrealdb/pull/6774
- https://github.com/surrealdb/surrealdb/pull/6833
- https://github.com/surrealdb/surrealdb/commit/2b0389b92398d9ecff4632cd51bbf8303832a988
- https://github.com/surrealdb/surrealdb/commit/bcd2ece9ef0d721215f06a47280698669f332285
- https://github.com/surrealdb/surrealdb
Affected packages
crates.io / surrealdb
Package
- Name
- surrealdb
- View open source insights on deps.dev
- Purl
- pkg:cargo/surrealdb
crates.io / surrealdb
Package
- Name
- surrealdb
- View open source insights on deps.dev
- Purl
- pkg:cargo/surrealdb