Denial of Service Vulnerability in SurrealDB by SurrealDB Inc.
CVE-2025-71396

2.3LOW

Key Information:

Vendor

Surrealdb

Status
Vendor
CVE Published:
18 July 2026

What is CVE-2025-71396?

SurrealDB versions prior to 2.0.5, 2.1.5, and 2.2.2 lack a default execution-time limit for embedded JavaScript functions when scripting is enabled. This allows authenticated attackers to submit resource-intensive scripts, leading to server resource depletion and potential denial of service. By exploiting this flaw, an attacker can disrupt normal server operations, impacting availability and performance.

Affected Version(s)

surrealdb 0 < 2.2.2

surrealdb 0 < 2.0.5

surrealdb 0 < 2.1.5

References

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

cure53
.