CVE-2024-58370
MEDIUM
6.5
CVSS 3.1
Description
SurrealDB versions before 1.1.0 fail to enforce recursion depth limits when parsing nested SurrealQL statements including IF, RELATE, and attribute access idioms. Authorized attackers can submit queries with excessive nesting depth to cause stack overflow and crash the server.
Metadata
Severity & Metrics
6.5
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| surrealdb | surrealdb | — | 0 < 1.1.0, 1.1.0 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-674 | cna | Uncontrolled Recursion |
CVSS scores (2)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 7.1 | HIGH | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| 6.5 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
References (2)
- GitHub Security Advisory (GHSA-6r8p-hpg7-825g) https://github.com/surrealdb/surrealdb/security/advisories/GHSA-6r8p-hpg7-825g
- VulnCheck Advisory: SurrealDB before 1.1.0 Uncontrolled Recursion Denial of Service https://www.vulncheck.com/advisories/surrealdb-before-uncontrolled-recursion-denial-of-service