SurrealQL Injection Vulnerability in SurrealDB by SurrealDB
CVE-2025-71392

9.4CRITICAL

Key Information:

Vendor

Surrealdb

Status
Vendor
CVE Published:
18 July 2026

What is CVE-2025-71392?

The SurrealDB software exhibits a vulnerability where improper escaping of table and field names occurs during the command-line export function. Authenticated users with OWNER or EDITOR roles can inject malicious names into created tables or fields using SurrealQL. When a higher-privileged user later imports this exported backup, the injected SurrealQL commands are executed. This allows for significant security risks, including privilege escalation and the potential for root-level control over the SurrealDB instance. Additionally, applications enabling users to define custom tables or fields are also implicated, being at risk for a second-order SurrealQL injection attack even with sanitized query parameters.

Affected Version(s)

surrealdb 0 < 2.2.2

surrealdb 0 < 2.1.5

surrealdb 0 < 2.0.5

References

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

cure53
.