GHSA-H4H3-3RFJ-X6FQ: GHSA-H4H3-3RFJ-X6FQ: Value-Ordering Oracle Side-Channel via Indexed ORDER BY in SurrealDB

GHSA-H4H3-3RFJ-X6FQ: Value-Ordering Oracle Side-Channel via Indexed ORDER BY in SurrealDB

Vulnerability ID: GHSA-H4H3-3RFJ-X6FQ
CVSS Score: 4.3
Published: 2026-06-19

SurrealDB versions 3.0.0 through 3.1.4 contain an information exposure vulnerability (CWE-203) where the query planner optimizes sorted queries using indexes on fields with field-level SELECT restrictions. Because the query planner performs index-based sorting before enforcing permission-based redaction, unauthorized users can observe the physical order of returned rows to deduce the relative values of protected fields.

TL;DR

SurrealDB's query planner prematurely optimizes sorting via indexes on restricted fields before enforcing permission boundaries. An unauthorized user can query a restricted field with an ORDER BY clause, causing the database to sort the rows by the hidden values before replacing them with null. By observing the returned row sequence relative to user-controlled records, an attacker can construct a binary search oracle to extract confidential data.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-203 (Information Exposure Through Discrepancy)
• Attack Vector: Network (Unauthenticated or Low-Privileged SQL Access)
• CVSS v3.1: 4.3 (Medium)
• Impact Type: Confidentiality / Data Exposure Side-Channel
• Exploit Status: Conceptual / PoC
• Remediation Status: Patched in 3.1.5

Affected Systems

• SurrealDB instances utilizing multi-tenant schemas
• SurrealQL setups with field-level SELECT permissions and indexed fields
• surrealdb: >= 3.0.0, < 3.1.5 (Fixed in: 3.1.5)

Exploit Details

• GitHub Security Advisory: The advisory describes the structure of the side-channel leak and conceptual mitigation strategies.

Mitigation Strategies

• Upgrade to SurrealDB version 3.1.5 or newer to ensure the query planner applies permission checks prior to index optimization.
• Set the environment variable SURREAL_PLANNER_STRATEGY=compute-only to force the engine to execute queries without planner optimizations.
• Remove index definitions from sensitive, select-restricted fields.
• Enforce data security boundaries at the table level using table-level PERMISSIONS schemas instead of column-level restrictions.

Remediation Steps:

1. Identify all SurrealDB tables containing both field-level SELECT permissions and active index definitions.
2. Verify the current running version of SurrealDB by executing 'surreal version' in the terminal.
3. If the running version is between 3.0.0 and 3.1.4, plan a maintenance window to upgrade the database binary.
4. Download and install SurrealDB version 3.1.5 or later from the official repository.
5. If upgrading is delayed, configure the environment variable 'SURREAL_PLANNER_STRATEGY=compute-only' in the service environment file.
6. Restart the SurrealDB service to apply the configuration or binary updates.

References

• GitHub Security Advisory GHSA-h4h3-3rfj-x6fq
• SurrealDB GitHub Repository
• SurrealQL DEFINE FIELD Documentation
• SurrealQL DEFINE INDEX Documentation
• SurrealQL DEFINE TABLE Documentation

---

Read the full report for GHSA-H4H3-3RFJ-X6FQ on our website for more details including interactive diagrams and full exploit analysis.