Back to overview

CVE-2025-71394

LOW
2.3
CVSS 4.0
Description
SurrealDB versions before 2.2.2 contain a local file read vulnerability in the DEFINE ANALYZER statement that allows authenticated users to read arbitrary files on the file system. Attackers with root, namespace, or database level privileges can point analyzers to arbitrary file paths and exfiltrate content from two-column tab-separated files.

Metadata

CVE ID
CVE-2025-71394
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-16 12:14 UTC
Published
2026-07-18 13:10 UTC
Last updated
2026-07-18 13:10 UTC
Primary CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory …
Vendor / Product
surrealdb / surrealdb
Sources
cve.org  ·  NVD

Severity & Metrics

2.3 LOW CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products (2)
VendorProductPlatformVersions
surrealdb surrealdb 0 < 2.2.2, 2.2.2
surrealdb surrealdb 0 < 2.1.5, 2.1.5
Weakness (CWE)
CWESourceDescription
CWE-22 cna Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS scores (1)
ScoreSeverityVersionSourceVector
2.3 LOW 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
References (2)
Back to overview