Listen to this Post
An authenticated user with root, namespace, or database-level privileges in SurrealDB can exploit the `DEFINE ANALYZER` statement to read arbitrary two-column TSV files from the filesystem. The vulnerability arises due to insufficient path validation when defining custom analyzers. By specifying a malicious file path, an attacker can exfiltrate sensitive data if the file matches the expected TSV format.
The issue was identified during a code audit and penetration test by cure53, with a severity rating of Low (CVSS v4). The impact is limited to unauthorized access to two-column TSV files. Patched versions (2.1.5, 2.2.2+) introduce the `SURREAL_FILE_ALLOWLIST` environment variable to restrict file access.
DailyCVE Form:
Platform: SurrealDB
Version: < 2.1.5
Vulnerability: Arbitrary File Read
Severity: Low
Date: 2024-XX-XX
What Undercode Say:
Exploitation:
1. Check privileges: Confirm root/namespace/database-level access.
2. Craft malicious analyzer:
DEFINE ANALYZER exfil_analyzer SOURCE FILE '/etc/passwd';
3. Exfiltrate data: If the file is TSV-formatted, the analyzer processes it.
Protection:
- Patch immediately: Upgrade to SurrealDB 2.1.5+ or 2.2.2+.
2. Restrict paths: Set `SURREAL_FILE_ALLOWLIST` to trusted directories:
export SURREAL_FILE_ALLOWLIST="/safe/path1,/safe/path2"
3. Limit privileges: Restrict root/namespace/database users to trusted entities.
Detection:
- Log analysis: Monitor `DEFINE ANALYZER` statements in query logs.
- File integrity checks: Alert on unexpected TSV file accesses.
Mitigation Script (Bash):
Check vulnerable versions surrealdb --version | grep -E "2.1.[0-4]|2.2.[0-1]" Apply allowlist echo "export SURREAL_FILE_ALLOWLIST=\"/valid/path\"" >> /etc/environment
References:
- SurrealQL DEFINE ANALYZER
- Issue 5600 (GitHub)
References:
Reported By: https://github.com/advisories/GHSA-2cvj-g5r5-jrrg
Extra Source Hub:
Undercode
