SurrealDB, Denial of Service (Uncontrolled Recursion), CVE-2026-264505H (Medium) -DC-Jun2026-537

Listen to this Post

This vulnerability, identified as PGV-264505H (GHSA-jv2j-mqmw-xvv5), is an Uncontrolled Recursion (CWE-674) flaw affecting SurrealDB versions 3.0.0 through 3.1.4. It allows an authenticated user with query-execution privileges to crash the entire SurrealDB server process using a single, carefully crafted query.
The attack exploits the query parser’s handling of flat operator chains. A query like `RETURN 1 + 1 + 1 + …` with tens of thousands of terms is parsed into an expression tree that is one level deep per operator. Because the chain is flat, the Pratt parser appends to it iteratively. This means the existing query- and object-recursion limits are never triggered, allowing the tree to grow unbounded with the length of the query.
The root cause of the crash is not during parsing, but later in the processing pipeline. The over-deep tree is walked recursively—with one call per node—when it is dropped, formatted, or lowered for execution. This deep recursion overflows the thread stack, causing the entire SurrealDB process to abort abruptly. The crash occurs during query processing, before any data is read or written, resulting in a denial of service that affects every namespace and database on the instance until the server is manually or automatically restarted.
The fix, implemented in version 3.1.5, introduces a dedicated expression-depth budget called expr_recursion_limit. This budget is sourced from a new configuration value, `max_expression_parsing_depth` (default 128), which is configurable via the `SURREAL_MAX_EXPRESSION_PARSING_DEPTH` environment variable. The budget is charged once per Pratt-parser level and once per operator appended to the spine. If a query exceeds this limit, it is rejected with a syntax error, preventing the construction of a tree that would overflow the stack. Importantly, paths that re-parse already-validated stored data are exempted, ensuring existing databases with deep stored expressions can still load.

DailyCVE Form

Platform: SurrealDB
Version: 3.0.0 – 3.1.4
Vulnerability: Uncontrolled Recursion (CWE-674)
Severity: Medium
date: 2026-06-19

Prediction: 2026-06-19

What Undercode Say: Analytics

Root Cause Analysis:

  • Parser: The Pratt parser builds a flat Abstract Syntax Tree (AST) for operator chains. The tree depth is proportional to the number of operators.
  • Recursion Limits: Existing query and object recursion limits are not triggered because the chain is flat, not nested.
  • Stack Overflow: The deep AST is later processed by recursive functions (e.g., for dropping, formatting, or lowering), leading to a stack overflow and process abort.

Vulnerable Code Pattern (Conceptual):

// Conceptual representation of the vulnerable parser behavior
fn parse_operator_chain(operators: Vec<Op>) -> Expr {
let mut expr = Expr::Literal(1);
for op in operators {
// The tree grows one level deeper per operator, but remains a flat chain.
expr = Expr::BinaryOp { left: expr, op: op, right: Expr::Literal(1) };
}
expr
}
// Later, a recursive function walks this tree
fn walk_expr(expr: &Expr) {
match expr {
Expr::BinaryOp { left, op, right } => {
walk_expr(left); // Recursive call for each level
walk_expr(right);
}
// ...
}
}

Exploit Query Example:

-- A query with tens of thousands of operators to trigger the stack overflow
RETURN 1 + 1 + 1 + 1 + 1 + ... (repeated 50,000+ times)

This query, when executed by an authenticated user, will crash the server.

Protection

The primary protection is to upgrade to SurrealDB version 3.1.5 or later. If upgrading is not immediately possible, the following workarounds are recommended:
1. Restrict Query Execution: Use the `–deny-arbitrary-query` capability flag to restrict the ability of untrusted users (guest, record, or system classes) to execute arbitrary queries.
2. Restrict Endpoint Access: Limit untrusted access to the WebSocket `/rpc` endpoint, which accepts larger request bodies. While the HTTP `/sql` endpoint has a 1 MiB body limit that reduces the achievable operator depth, it does not guarantee safety.
3. Implement Auto-Restart: Run SurrealDB under an orchestrator or process manager (e.g., Kubernetes, systemd with Restart=on-failure, or a Docker restart policy). This ensures the server recovers automatically after a crash, limiting downtime.

Impact

  • Availability: A successful attack causes a complete denial of service. The entire SurrealDB process aborts, making all namespaces and databases on that instance unavailable until the server is restarted.
  • Scope: The impact is contained to the application itself. Exploitation does not affect the host environment or external systems.
  • Data Integrity/Confidentiality: The crash occurs during query processing before any data is read or written. Therefore, this vulnerability impacts availability only, with no direct effect on data integrity or confidentiality.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top