DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-XX7M-69FF-9CRP: SurrealDB's Poison Pill: Crashing the Database with a Single String

#security #cve #cybersecurity #ghsa

SurrealDB's Poison Pill: Crashing the Database with a Single String

Vulnerability ID: GHSA-XX7M-69FF-9CRP
CVSS Score: 6.5
Published: 2026-02-12

A critical Denial of Service vulnerability exists in SurrealDB's embedded JavaScript engine, QuickJS. By defining a scripting function containing an excessively large string literal, an attacker can trigger a Null Pointer Dereference (CWE-476) within the compilation phase. This memory safety violation bypasses Rust's safety guarantees, causing the entire database process to terminate immediately via a segmentation fault.

TL;DR

SurrealDB embeds the QuickJS engine to allow inline JavaScript functions. A flaw in how QuickJS handles massive string literals during compilation allows an attacker to trigger a Null Pointer Dereference. By submitting a crafted SurrealQL query that generates a huge string and feeds it to the JS engine, an authenticated user can crash the server instantly. The fix involves updating the internal rquickjs dependency.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-476 (Null Pointer Dereference)
  • Attack Vector: Network (Authenticated)
  • CVSS Score: 6.5 (Medium)
  • Impact: Denial of Service (Process Crash)
  • Component: QuickJS / rquickjs
  • Exploit Status: PoC Available

Affected Systems

  • SurrealDB Server (versions using rquickjs < 0.11.0)
  • SurrealDB Embedded (Rust crate)
  • SurrealDB: < 2026-02-02 builds (Fixed in: Post-Feb 2026 builds)

Code Analysis

Commit: bcd2ece

Update rquickjs to 0.11.0 to fix NPD

dependencies:
- rquickjs = "0.6"
+ rquickjs = "0.11.0"
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade SurrealDB to a version incorporating rquickjs >= 0.11.0.
  • Disable embedded scripting if not strictly required by business logic.
  • Implement query analysis to reject excessively large string literals before they reach the execution engine.

Remediation Steps:

  1. Check current version: surreal version.
  2. Pull the latest Docker image: docker pull surrealdb/surrealdb:latest.
  3. Restart the database instance.
  4. Verify the fix by attempting to define a function with a large string (in a testing environment!)β€”it should now error gracefully instead of crashing.

References

Read the full report for GHSA-XX7M-69FF-9CRP on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)