<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>SurrealDB (&lt; 3.1.0) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/surrealdb--3.1.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 12:36:18 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/surrealdb--3.1.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>SurrealDB HTTP /rpc Session Hijack Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-surrealdb-session-hijack/</link><pubDate>Fri, 03 Jul 2026 12:36:18 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-surrealdb-session-hijack/</guid><description>A critical vulnerability (versions prior to 3.1.0) in SurrealDB's HTTP /rpc endpoint allowed unauthenticated attackers to enumerate session UUIDs via the `sessions` method, enabling full session hijack of any attached and authenticated session due to a lack of ownership checks, leading to unauthorized data manipulation and privilege escalation.</description><content:encoded><![CDATA[<p>Anonymous attackers can exploit a critical vulnerability in SurrealDB’s HTTP <code>/rpc</code> endpoint, specifically affecting versions prior to 3.1.0. The flaw allows an unauthenticated caller to invoke the <code>sessions</code> method, which inadvertently returns all attached session UUIDs. Furthermore, the <code>/rpc</code> handler failed to perform ownership checks when a client-supplied session ID was present in a request. This combination enables an attacker to enumerate valid session identifiers and then impersonate any authenticated session by injecting a stolen UUID into subsequent requests. This vulnerability is particularly impactful for applications using the official Rust SDK’s <code>Http</code>/<code>Https</code> engine, as it automatically attaches sessions, making them enumerable and hijackable. Successful exploitation grants the attacker the full privileges of the hijacked session, including read, write, and delete capabilities over database data, as well as metadata exfiltration and privilege escalation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An anonymous attacker sends an unauthenticated HTTP GET or POST request to the SurrealDB <code>/rpc</code> endpoint, invoking the <code>sessions</code> method.</li>
<li>The vulnerable SurrealDB server (versions &lt; 3.1.0) responds to the unauthenticated request by returning a list of all currently attached session UUIDs.</li>
<li>The attacker parses the server's response to extract one or more valid, potentially authenticated, session UUIDs.</li>
<li>The attacker crafts a subsequent HTTP POST request to the <code>/rpc</code> endpoint, including a stolen session UUID within the <code>session</code> field of the request body or header.</li>
<li>The vulnerable SurrealDB server processes this request without performing an ownership check, associating the incoming request with the privileges and context of the hijacked session.</li>
<li>The attacker leverages the hijacked session's privileges to execute arbitrary database operations (e.g., read, write, or delete data), dump sensitive metadata, invalidate other sessions, or perform other actions commensurate with the compromised session's access level, potentially escalating to root.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows an unauthenticated attacker to completely hijack any attached and authenticated SurrealDB session. This leads to unauthorized data access, modification, and deletion for any data the compromised session can reach. Attackers can also exfiltrate sensitive database metadata, invalidate legitimate user sessions, and achieve privilege escalation up to the highest level associated with the hijacked session, potentially gaining root access to the database. The breadth of impact depends directly on the privileges of the stolen session, posing a significant risk to data integrity, confidentiality, and availability for affected SurrealDB deployments.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade all SurrealDB instances to version 3.1.0 or later immediately to patch the vulnerability described in this brief.</li>
<li>If immediate upgrade is not possible, modify application logic to avoid client flows that call <code>attach</code> against HTTP <code>/rpc</code>, as detailed in the workarounds section of this brief, prioritizing WebSocket transport or REST endpoints.</li>
<li>Implement network-level access controls to restrict direct access to the <code>/rpc</code> endpoint to only trusted internal clients, as described in the workaround for this vulnerability.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>surrealdb</category><category>vulnerability</category><category>session-hijack</category><category>web-application</category><category>rpc</category><category>database</category></item><item><title>SurrealDB HTTP RPC Session Race Condition Allows Privilege Escalation</title><link>https://feed.craftedsignal.io/briefs/2026-07-surrealdb-rpc-race-condition/</link><pubDate>Fri, 03 Jul 2026 12:35:23 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-surrealdb-rpc-race-condition/</guid><description>An unauthenticated time-of-check/time-of-use (TOCTOU) race condition exists in the HTTP /rpc endpoint of SurrealDB versions prior to 3.1.0, allowing an attacker to inherit the session and privileges of an authenticated user by sending concurrent requests, potentially leading to full control over the database if a highly privileged session is hijacked.</description><content:encoded><![CDATA[<p>SurrealDB, a multi-model database, is affected by a critical time-of-check/time-of-use (TOCTOU) race condition (CVE-2024-XXXX, though not explicitly numbered in source) within its HTTP <code>/rpc</code> endpoint. This vulnerability impacts versions prior to <code>v3.1.0</code> and allows an unauthenticated attacker to escalate privileges. The flaw stems from concurrent requests sharing mutable authentication state; an unauthenticated request can race to inherit the session context of a legitimate, concurrently executing authenticated request. This mechanism, affecting the primary interface used by all official SurrealDB SDKs, allows attackers to bypass authentication and execute actions with the hijacked user's permissions, potentially leading to complete compromise of the SurrealDB instance if a root or namespace-level session is targeted.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated user sends a legitimate <code>POST</code> request to the <code>/rpc</code> endpoint of a vulnerable SurrealDB instance.</li>
<li>During the processing of this legitimate request, the server temporarily sets its internal, shared session state to the authenticated user's context.</li>
<li>An unauthenticated attacker, with network access to the <code>/rpc</code> endpoint, concurrently sends a <code>POST</code> request to the same <code>/rpc</code> endpoint.</li>
<li>Due to the TOCTOU race condition, the attacker's unauthenticated request is processed while the internal session state still holds the authenticated user's context.</li>
<li>The attacker's request incorrectly inherits the session and privileges of the legitimate, authenticated user.</li>
<li>The attacker's request is then executed with the elevated privileges of the hijacked session, bypassing authentication.</li>
<li>If the hijacked session belonged to a root or namespace-level user, the attacker gains full control over the database, including reading, modifying, or deleting any data and creating persistent namespace-level users.</li>
<li>If the hijacked session belonged to a scoped record user, the attacker's actions are limited to that user's defined permissions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>An unauthenticated attacker exploiting this race condition can achieve privilege escalation within the SurrealDB instance. The severity of the impact is directly tied to the privileges of the authenticated user whose session is hijacked. If a highly privileged user, such as a root or namespace-level administrator, has their session compromised, the attacker can gain complete control over the database, including the ability to read, modify, or delete any data, as well as create new persistent users at the namespace level. This could lead to data integrity loss, unauthorized data access, and persistent compromise of the database environment.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade SurrealDB instances to version <code>3.1.0</code> or newer immediately to apply the patch that introduces per-request session isolation.</li>
<li>Implement network-level controls (e.g., firewall rules, WAFs) to restrict access to the <code>/rpc</code> endpoint to only trusted clients and applications, reducing the exposure surface.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>privilege-escalation</category><category>race-condition</category><category>webserver</category><category>surrealdb</category></item><item><title>SurrealDB Denial of Service Vulnerability via JSON Parser (GHSA-q729-696q-g9pq)</title><link>https://feed.craftedsignal.io/briefs/2026-07-surrealdb-dos/</link><pubDate>Fri, 03 Jul 2026 12:29:44 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-surrealdb-dos/</guid><description>An unauthenticated remote attacker can exploit a Denial of Service vulnerability (GHSA-q729-696q-g9pq) in SurrealDB's value and JSON parser, which failed to enforce recursion depth limits when processing deeply nested JSON payloads sent to the WebSocket /rpc endpoint, leading to server memory exhaustion and process crashes.</description><content:encoded><![CDATA[<p>A high-severity Denial of Service vulnerability (GHSA-q729-696q-g9pq) has been identified in SurrealDB, affecting versions prior to 3.1.0. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted, deeply nested JSON payload to the server's WebSocket <code>/rpc</code> endpoint. The vulnerability lies in the value and JSON parser, which inconsistently failed to enforce configured recursion depth limits for nested objects, arrays, or parentheses. This oversight allows the malicious payload to exhaust server memory during parsing, leading to the immediate crash of the SurrealDB process. This issue is a partial fix for a previous vulnerability (GHSA-6r8p-hpg7-825g) that addressed a similar problem in the expression parser but overlooked the value/JSON parser code path. The immediate impact is service unavailability for affected SurrealDB instances, requiring manual restart.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Reconnaissance</strong>: An attacker identifies a publicly exposed SurrealDB instance, potentially through port scanning or misconfiguration.</li>
<li><strong>Vulnerability Identification</strong>: The attacker identifies the accessible WebSocket <code>/rpc</code> endpoint, which is vulnerable to unauthenticated input.</li>
<li><strong>Payload Crafting</strong>: The attacker crafts a malicious JSON payload characterized by extremely deep nesting of objects (<code>{}</code>), arrays (<code>[]</code>), or parentheses (<code>()</code>).</li>
<li><strong>Connection Establishment</strong>: The attacker establishes a WebSocket connection to the identified <code>/rpc</code> endpoint on the vulnerable SurrealDB server.</li>
<li><strong>Malicious Request</strong>: The crafted, deeply nested JSON payload is sent by the attacker over the established WebSocket connection to the SurrealDB server.</li>
<li><strong>Vulnerable Parsing</strong>: The SurrealDB server's value and JSON parser attempts to process the incoming payload but fails to enforce its configured recursion depth limits due to the identified vulnerability.</li>
<li><strong>Resource Exhaustion</strong>: The uncontrolled recursive parsing of the deeply nested JSON payload rapidly consumes and exhausts the server's available memory resources.</li>
<li><strong>Denial of Service</strong>: The SurrealDB process crashes as a result of the memory exhaustion, rendering the database service completely unavailable to legitimate users.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The primary impact of this vulnerability is a complete Denial of Service for affected SurrealDB instances. An unauthenticated remote attacker can trigger a server crash with a single malicious WebSocket message, requiring no prior credentials or query execution privileges. This vulnerability can lead to significant downtime for any applications or services relying on the SurrealDB instance, causing operational disruption and potential data inconsistencies if the server crashes unexpectedly during write operations. There are no known workarounds other than restricting network access or patching.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-GHSA-q729-696q-g9pq immediately</strong>: Upgrade all SurrealDB instances to version 3.1.0 or later to apply the fix for this vulnerability.</li>
<li><strong>Restrict Network Access</strong>: Implement network access controls (firewalls, security groups) to restrict access to the WebSocket <code>/rpc</code> endpoint to only trusted clients or internal networks.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>websocket</category><category>server</category></item></channel></rss>