Local File Read Vulnerability in SurrealDB by SurrealDB
CVE-2025-71394

2.3LOW

Key Information:

Vendor

Surrealdb

Status
Vendor
CVE Published:
18 July 2026

What is CVE-2025-71394?

SurrealDB versions prior to 2.2.2 are susceptible to a local file read vulnerability within the DEFINE ANALYZER statement. This issue permits authenticated users, particularly those with root, namespace, or database-level privileges, to manipulate analyzer configurations to access arbitrary file paths on the server. Consequently, malicious actors can extract sensitive information from files formatted as two-column tab-separated values, potentially leading to data exposure.

Affected Version(s)

surrealdb 0 < 2.2.2

surrealdb 0 < 2.1.5

surrealdb 2.2.2

References

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

cure53
.