GHSA-CCJ3-5P93-8P42

Vulnerability from github – Published: 2025-04-11 14:07 – Updated: 2025-04-11 14:07
VLAI
Summary
SurrealDB server-takeover via SurrealQL injection on backup import
Details

The SurrealDB command-line tool allows exporting databases through the export command. It was discovered that table or field names are not properly sanitized in exports, leading to a SurrealQL injection when the backup is reimported.

For the injection to occur, an authenticated System User with OWNER or EDITOR roles needs to create tables or fields with malicious names containing SurrealQL, subsequently exported using the export operation

The attacker could achieve a privilege escalation and root level access to the SurrealDB instance if a higher privileged user subsequently performs the import operation.

Furthermore, applications using SurrealDB that allow its users to define custom fields or tables are at risk of a universal second order SurrealQL injection, even if query parameters are properly sanitized.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53's preliminary finding is Critical, matched by our CVSS v4 assessment.

Impact

This attack can be used to perform privilege escalation and complete takeover (root access) of the SurrealDB instance, as well as being able to perform SurrealQL injection attacks against co-tenanted applications where SurrealDB is used as a shared backend for multiple applications.

Patches

A patch has been created that addresses the issue by fixing the bugs in the exporter which failed to escape some characters properly.

  • Versions 2.0.5, 2.1.5, 2.2.2 and later are not affected by this issue.

Workarounds

For SurrealDB users that are unable to upgrade, users that are looking to perform import operations must manually inspect the exported data for injected statements, prior to importing.

References

SurrealDB Documentation - Export SurrealDB Documentation - Import SurrealDB Documentation - Authentication

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-11T14:07:34Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "The SurrealDB command-line tool allows exporting databases through the `export` command. It was discovered that table or field names are not properly sanitized in exports, leading to a SurrealQL injection when the backup is reimported.\n\nFor the injection to occur, an authenticated System User with `OWNER` or `EDITOR` roles needs to create tables or fields with malicious names containing SurrealQL, subsequently exported using the `export` operation\n\nThe attacker could achieve a privilege escalation and root level access to the SurrealDB instance if a higher privileged user subsequently performs the `import` operation. \n\nFurthermore, applications using SurrealDB that allow its users to define custom fields or tables are at risk of a universal second order SurrealQL injection, even if query parameters are properly sanitized. \n\nThis issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53\u0027s preliminary finding is Critical, matched by our CVSS v4 assessment.\n\n### Impact\nThis attack can be used to perform privilege escalation and complete takeover (root access) of the SurrealDB instance, as well as being able to perform SurrealQL injection attacks against co-tenanted applications where SurrealDB is used as a shared backend for multiple applications.\n\n### Patches\nA patch has been created that addresses the issue by fixing the bugs in the exporter which failed to escape some characters properly.\n\n- Versions 2.0.5, 2.1.5, 2.2.2 and later are not affected by this issue.\n\n\n### Workarounds\nFor SurrealDB users that are unable to upgrade, users that are looking to perform `import` operations must manually inspect the exported data for injected statements, prior to importing. \n\n\n### References\n[SurrealDB Documentation - Export](https://surrealdb.com/docs/surrealdb/cli/export)\n[SurrealDB Documentation - Import](https://surrealdb.com/docs/surrealdb/cli/import)\n[SurrealDB Documentation - Authentication](https://surrealdb.com/docs/surrealdb/security/authentication)",
  "id": "GHSA-ccj3-5p93-8p42",
  "modified": "2025-04-11T14:07:34Z",
  "published": "2025-04-11T14:07:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-ccj3-5p93-8p42"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SurrealDB server-takeover via SurrealQL injection on backup import"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…