DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-JV2J-MQMW-XVV5: GHSA-jv2j-mqmw-xvv5: Stack Overflow Denial of Service in SurrealDB Query Engine

#security #cve #cybersecurity #ghsa

GHSA-jv2j-mqmw-xvv5: Stack Overflow Denial of Service in SurrealDB Query Engine

Vulnerability ID: GHSA-JV2J-MQMW-XVV5
CVSS Score: 6.5
Published: 2026-06-19

An authenticated denial-of-service vulnerability in SurrealDB allows remote attackers with query privileges to crash the server process. The issue arises from uncontrolled recursion during the compilation, serialization, or deallocation of exceptionally deep Abstract Syntax Trees (ASTs). While the iterative Pratt parser successfully handles long flat sequences of binary operators without triggering recursion limits, the resulting AST structure causes stack overflow in downstream recursive tree-walking components.

TL;DR

A stack overflow vulnerability in SurrealDB allows authenticated users to trigger an uncatchable process abort by submitting queries with thousands of chained binary operators. The issue is resolved in version 3.1.5 by introducing a parser-level recursion depth limit.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-674, CWE-400
  • Attack Vector: Network
  • CVSS v3.1 Score: 6.5 (Medium)
  • Exploit Status: Proof-of-Concept
  • CISA KEV Status: Not Listed
  • Impact: Denial of Service (Process Abort)

Affected Systems

  • SurrealDB Server
  • SurrealDB: >= 3.0.0, < 3.1.5 (Fixed in: 3.1.5)

Mitigation Strategies

  • Upgrade SurrealDB to version 3.1.5 or later.
  • Configure the SURREAL_MAX_EXPRESSION_PARSING_DEPTH environment variable to a safe limit.
  • Run SurrealDB with the --deny-arbitrary-query flag to prevent low-privileged users from running custom SurrealQL queries.

Remediation Steps:

  1. Deploy SurrealDB version 3.1.5 to all environment instances.
  2. Verify system environment variables are configured with SURREAL_MAX_EXPRESSION_PARSING_DEPTH=128.
  3. Configure reverse proxies to drop HTTP requests containing excessive repetition of mathematical or logical symbols.

References

Read the full report for GHSA-JV2J-MQMW-XVV5 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)