DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-3V2X-9XCV-2V2V: SurrealDB's Trojan Horse: The Confused Deputy in Future Fields

#security #cve #cybersecurity #ghsa

SurrealDB's Trojan Horse: The Confused Deputy in Future Fields

Vulnerability ID: GHSA-3V2X-9XCV-2V2V
CVSS Score: 7.5
Published: 2026-01-22

A critical Confused Deputy vulnerability in SurrealDB allows low-privileged users to plant malicious logic in database schemas (Functions, Future Fields) that subsequently executes with the high privileges of any administrator who interacts with them. This results in total system compromise via privilege escalation.

TL;DR

SurrealDB allows users to define 'future' fields and functions that execute dynamically. Prior to version 2.5.0, this logic executed with the permissions of the invoking user, not the creating user. An attacker with basic 'Edit' rights can define a field that creates a Root user, wait for an actual Root admin to query that field, and effectively hijack the database using the admin's own credentials.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-269
  • CWE Name: Improper Privilege Management
  • Attack Vector: Network (Authenticated)
  • CVSS: 7.5 (High)
  • Impact: Privilege Escalation / RCE
  • Exploit Status: PoC Available
  • Patch Commit: f515c91363ee735aa1bc08580d9e7fa0de6e736f

Affected Systems

  • SurrealDB (Standalone)
  • SurrealDB (Embedded)
  • SurrealKV
  • SurrealDB: < 2.5.0 (Fixed in: 2.5.0)
  • SurrealDB: < 3.0.0-beta.3 (Fixed in: 3.0.0-beta.3)

Code Analysis

Commit: f515c91

Implemented AuthLimit to restrict execution context of Futures and Functions

pub struct AuthLimit { ... } ... let opt = AuthLimit::try_from(&fd.auth_limit)?.limit_opt(opt);
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade to SurrealDB v2.5.0+ or v3.0.0-beta.3+
  • Audit all schema definitions for 'Future' fields and custom Functions
  • Restrict 'Define' permissions to trusted users only until patched

Remediation Steps:

  1. Stop the SurrealDB service.
  2. Replace the binary with version 2.5.0 or later.
  3. Restart the service.
  4. Run a schema dump to identify all defined functions and futures.
  5. Manually review definitions created by non-root users.
  6. Re-run the 'DEFINE' statements for these objects to update their AuthLimit metadata.

References

Read the full report for GHSA-3V2X-9XCV-2V2V on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)