Format String Vulnerability in SurrealDB Affecting Scripting Functions
CVE-2024-58366

9CRITICAL

Key Information:

Vendor

Surrealdb

Status
Vendor
CVE Published:
18 July 2026

What is CVE-2024-58366?

SurrealDB prior to version 1.1.1 is susceptible to a critical format string vulnerability that emerges within the Exception::throw_type method when scripting features are activated. This flaw enables attackers who have acquired scripting privileges to inject malicious format strings into error messages, leading to the potential disclosure of sensitive information through arbitrary memory access or even the execution of arbitrary code under the privileges of the SurrealDB process, thereby compromising the security of the application and its data.

Affected Version(s)

surrealdb 0 < 1.1.1

surrealdb 0 < 0.4.2

surrealdb 1.1.1

References

CVSS V4

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

akkie
.