4 matches found
EUVD-2024-55685
SurrealDB versions before 1.1.1 fail to properly validate invocation of custom parameters and functions at root or namespace levels, causing server panic. Authorized clients can invoke these entities at unsupported levels to crash the SurrealDB server, resulting in denial of service...
EUVD-2024-55681
SurrealDB versions before 1.2.0 contain an uncaught exception vulnerability in the query executor when processing calls to nonexistent built-in functions. Authorized clients can craft pre-parsed queries invoking nonexistent functions to trigger a panic that crashes the server...
GHSA-3633-G6MG-P6QQ SurrealDB memory exhaustion via string::replace using regex
An authenticated user can craft a query using the string::replace function that uses a Regex to perform a string replacement. As there is a failure to restrict the resulting string length, this enables an attacker to send a string::replace function to the SurrealDB server exhausting all the memor...
PT-2024-40418 · Quickjs +1 · Quickjs +1
Name of the Vulnerable Software and Affected Versions: SurrealDB versions prior to 1.1.1 rquickjs crate versions prior to 0.4.2 Description: The issue arises from the rquickjs crate used by SurrealDB, which executes scripting functions. The Exception::throw type function in rquickjs takes a strin...