Denial of Service Vulnerability in SurrealDB by SurrealDB Team
CVE-2025-71397
7.1HIGH
What is CVE-2025-71397?
SurrealDB versions prior to 2.0.5, 2.1.5, and 2.2.2 are susceptible to a vulnerability that allows authenticated users with OWNER or EDITOR permissions to create custom database functions through nested FOR loops. The limitation on a single loop's iteration count can be bypassed by nesting multiple loops, potentially leading to excessive CPU consumption. This can significantly impact the performance of the server, rendering it unresponsive to other queries and connections until a manual restart occurs. This flaw emphasizes the necessity for improved input validation and control mechanisms in database function execution.
Affected Version(s)
surrealdb 0 < 2.2.2
surrealdb 0 < 2.1.5
surrealdb 0 < 2.0.5
