How the CVE Works
The vulnerability arises in SurrealDB when an authenticated user sends a malicious query containing the `string::replace` function with a crafted Regex pattern. Due to insufficient validation of the resulting string length, repeated string allocations exhaust server memory. The attacker exploits this by generating an exponentially growing string, overwhelming system resources and causing a Denial-of-Service (DoS) crash. The issue stems from unchecked recursive replacements, allowing memory consumption to spike until the server becomes unresponsive.
DailyCVE Form
Platform: SurrealDB
Version: <2.0.5, <2.1.5, <2.2.2
Vulnerability: Memory exhaustion
Severity: High
Date: 2024-XX-XX
What Undercode Say:
Exploitation:
1. Craft query:
SELECT string::replace('a', 'a', 'aa') FROM table;
2. Loop to amplify memory usage.
Protection:
1. Update to patched versions (2.0.5+/2.1.5+/2.2.2+).
2. Apply env var:
export SURREAL_CAPS_DENY_FUNC="string::replace"
3. Use CLI flag:
surreal start --deny-functions "string::replace"
Detection:
1. Monitor logs for repeated `string::replace` calls.
2. Check memory spikes via:
ps -eo pid,%mem,cmd | grep surrealdb
Mitigation Script:
!/bin/sh Kill abusive processes pkill -f "string::replace.loop"
Patch Analysis:
The fix enforces `SURREAL_GENERATION_ALLOCATION_LIMIT` to cap string length.
References:
References:
Reported By: https://github.com/advisories/GHSA-3633-g6mg-p6qq
Extra Source Hub:
Undercode
