Back to overview

CVE-2024-58366

HIGH
8.5
CVSS 3.1
Description
SurrealDB before 1.1.1 contains a format string vulnerability in the rquickjs Exception::throw_type function when scripting is enabled. Attackers with scripting privileges can supply format string sequences in error inputs to read arbitrary memory or execute code with SurrealDB process privileges.

Metadata

CVE ID
CVE-2024-58366
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-18 12:40 UTC
Published
2026-07-18 13:10 UTC
Last updated
2026-07-18 13:10 UTC
Primary CWE
CWE-134
Use of Externally-Controlled Format String
Vendor / Product
surrealdb / surrealdb
Sources
cve.org  ·  NVD

Severity & Metrics

8.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products (2)
VendorProductPlatformVersions
surrealdb surrealdb 0 < 1.1.1, 1.1.1
surrealdb surrealdb 0 < 0.4.2, 0.4.2
Weakness (CWE)
CWESourceDescription
CWE-134 cna Use of Externally-Controlled Format String
CVSS scores (2)
ScoreSeverityVersionSourceVector
9.0 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
8.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
References (2)
Back to overview