Denial of Service Vulnerability in SurrealDB by SurrealDB Team
CVE-2025-71397

7.1HIGH

Key Information:

Vendor

Surrealdb

Status
Vendor
CVE Published:
18 July 2026

What is CVE-2025-71397?

SurrealDB versions prior to 2.0.5, 2.1.5, and 2.2.2 are susceptible to a vulnerability that allows authenticated users with OWNER or EDITOR permissions to create custom database functions through nested FOR loops. The limitation on a single loop's iteration count can be bypassed by nesting multiple loops, potentially leading to excessive CPU consumption. This can significantly impact the performance of the server, rendering it unresponsive to other queries and connections until a manual restart occurs. This flaw emphasizes the necessity for improved input validation and control mechanisms in database function execution.

Affected Version(s)

surrealdb 0 < 2.2.2

surrealdb 0 < 2.1.5

surrealdb 0 < 2.0.5

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

cure53
.