GHSA-Q729-696Q-G9PQ

Vulnerability from github – Published: 2026-07-01 20:03 – Updated: 2026-07-01 20:03
VLAI
Summary
SurrealDB has Denial of Service in JSON parser due to nested objects
Details

The SurrealDB value and JSON parser did not enforce the configured recursion depth limit when parsing nested {, [, or ( tokens. The expression parser already enforced the limit for these tokens; the value/JSON parser omitted it. An unauthenticated attacker could send a deeply nested JSON payload to the WebSocket /rpc endpoint and exhaust server memory, crashing the process.

This is an incomplete fix for GHSA-6r8p-hpg7-825g, which addressed the same class of bug in the expression parser but did not cover the value/JSON parser code path.

Impact

An unauthenticated remote attacker can crash a SurrealDB server with a single WebSocket message. No credentials or query execution privileges are required.

Patches

A patch enforces the configured recursion depth limit in parse_value and parse_json, bringing them in line with the rest of the parser.

  • Versions 3.1.0 and later are not affected by this issue.

Workarounds

Restrict network access to the WebSocket /rpc endpoint to trusted clients.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-01T20:03:33Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The SurrealDB value and JSON parser did not enforce the configured recursion depth limit when parsing nested `{`, `[`, or `(` tokens. The expression parser already enforced the limit for these tokens; the value/JSON parser omitted it. An unauthenticated attacker could send a deeply nested JSON payload to the WebSocket `/rpc` endpoint and exhaust server memory, crashing the process.\n\nThis is an incomplete fix for [GHSA-6r8p-hpg7-825g](https://github.com/surrealdb/surrealdb/security/advisories/GHSA-6r8p-hpg7-825g), which addressed the same class of bug in the expression parser but did not cover the value/JSON parser code path.\n\n### Impact\n\nAn unauthenticated remote attacker can crash a SurrealDB server with a single WebSocket message. No credentials or query execution privileges are required.\n\n### Patches\n\nA patch enforces the configured recursion depth limit in `parse_value` and `parse_json`, bringing them in line with the rest of the parser.\n\n- Versions 3.1.0 and later are not affected by this issue.\n\n### Workarounds\n\nRestrict network access to the WebSocket `/rpc` endpoint to trusted clients.",
  "id": "GHSA-q729-696q-g9pq",
  "modified": "2026-07-01T20:03:33Z",
  "published": "2026-07-01T20:03:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-q729-696q-g9pq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/commit/1bd9826f477f4089134460dc5574b6f4e6916973"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SurrealDB has Denial of Service in JSON parser due to nested objects"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…