GHSA-CC8F-FCX3-GPJR: GHSA-cc8f-fcx3-gpjr: Arbitrary File Disclosure via DEFINE ANALYZER mapper filter in SurrealDB

GHSA-cc8f-fcx3-gpjr: Arbitrary File Disclosure via DEFINE ANALYZER mapper filter in SurrealDB

Vulnerability ID: GHSA-CC8F-FCX3-GPJR
CVSS Score: 7.7
Published: 2026-06-19

A local file disclosure vulnerability exists in SurrealDB's full-text search capabilities, allowing authenticated users with database EDITOR or OWNER roles to read arbitrary files from the host system filesystem. This occurs by abusing the mapper() filter inside a DEFINE ANALYZER statement to point to system files.

TL;DR

Authenticated database users with EDITOR or OWNER roles can read arbitrary files from the host filesystem by registering a DEFINE ANALYZER statement with a malicious path in the mapper() filter.

---

Technical Details

• CWE ID: CWE-22
• Attack Vector: Network
• CVSS Score: 7.7 (High)
• Exploit Status: PoC
• Impact: High (Arbitrary File Read)
• Fixed Version: 3.1.5

Affected Systems

• SurrealDB
• SurrealDB: < 3.1.5 (Fixed in: 3.1.5)

Code Analysis

Commit: e0912c4

Implements SURREAL_FILE_ALLOWLIST

Mitigation Strategies

• Configure SURREAL_FILE_ALLOWLIST to isolate file mappings
• Upgrade SurrealDB to version 3.1.5 or higher
• Restrict database role privileges

Remediation Steps:

1. Upgrade SurrealDB to version 3.1.5 or higher.
2. If unable to upgrade, configure SURREAL_FILE_ALLOWLIST to a designated mapping directory.
3. Audit registered database analyzers with INFO FOR DB.

References

• Official Security Advisory
• Fix Pull Request

---

Read the full report for GHSA-CC8F-FCX3-GPJR on our website for more details including interactive diagrams and full exploit analysis.