SurrealQL Injection Vulnerability in SurrealDB by SurrealDB
CVE-2025-71392
What is CVE-2025-71392?
The SurrealDB software exhibits a vulnerability where improper escaping of table and field names occurs during the command-line export function. Authenticated users with OWNER or EDITOR roles can inject malicious names into created tables or fields using SurrealQL. When a higher-privileged user later imports this exported backup, the injected SurrealQL commands are executed. This allows for significant security risks, including privilege escalation and the potential for root-level control over the SurrealDB instance. Additionally, applications enabling users to define custom tables or fields are also implicated, being at risk for a second-order SurrealQL injection attack even with sanitized query parameters.
Affected Version(s)
surrealdb 0 < 2.2.2
surrealdb 0 < 2.1.5
surrealdb 0 < 2.0.5
