{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/surrealdb/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SurrealDB (\u003c 3.1.0)","rust/surrealdb (\u003c 3.1.0)"],"_cs_severities":["high"],"_cs_tags":["surrealdb","vulnerability","session-hijack","web-application","rpc","database"],"_cs_type":"advisory","_cs_vendors":["SurrealDB"],"content_html":"\u003cp\u003eAnonymous attackers can exploit a critical vulnerability in SurrealDB’s HTTP \u003ccode\u003e/rpc\u003c/code\u003e endpoint, specifically affecting versions prior to 3.1.0. The flaw allows an unauthenticated caller to invoke the \u003ccode\u003esessions\u003c/code\u003e method, which inadvertently returns all attached session UUIDs. Furthermore, the \u003ccode\u003e/rpc\u003c/code\u003e handler failed to perform ownership checks when a client-supplied session ID was present in a request. This combination enables an attacker to enumerate valid session identifiers and then impersonate any authenticated session by injecting a stolen UUID into subsequent requests. This vulnerability is particularly impactful for applications using the official Rust SDK’s \u003ccode\u003eHttp\u003c/code\u003e/\u003ccode\u003eHttps\u003c/code\u003e engine, as it automatically attaches sessions, making them enumerable and hijackable. Successful exploitation grants the attacker the full privileges of the hijacked session, including read, write, and delete capabilities over database data, as well as metadata exfiltration and privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn anonymous attacker sends an unauthenticated HTTP GET or POST request to the SurrealDB \u003ccode\u003e/rpc\u003c/code\u003e endpoint, invoking the \u003ccode\u003esessions\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe vulnerable SurrealDB server (versions \u0026lt; 3.1.0) responds to the unauthenticated request by returning a list of all currently attached session UUIDs.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the server's response to extract one or more valid, potentially authenticated, session UUIDs.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a subsequent HTTP POST request to the \u003ccode\u003e/rpc\u003c/code\u003e endpoint, including a stolen session UUID within the \u003ccode\u003esession\u003c/code\u003e field of the request body or header.\u003c/li\u003e\n\u003cli\u003eThe vulnerable SurrealDB server processes this request without performing an ownership check, associating the incoming request with the privileges and context of the hijacked session.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the hijacked session's privileges to execute arbitrary database operations (e.g., read, write, or delete data), dump sensitive metadata, invalidate other sessions, or perform other actions commensurate with the compromised session's access level, potentially escalating to root.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to completely hijack any attached and authenticated SurrealDB session. This leads to unauthorized data access, modification, and deletion for any data the compromised session can reach. Attackers can also exfiltrate sensitive database metadata, invalidate legitimate user sessions, and achieve privilege escalation up to the highest level associated with the hijacked session, potentially gaining root access to the database. The breadth of impact depends directly on the privileges of the stolen session, posing a significant risk to data integrity, confidentiality, and availability for affected SurrealDB deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all SurrealDB instances to version 3.1.0 or later immediately to patch the vulnerability described in this brief.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not possible, modify application logic to avoid client flows that call \u003ccode\u003eattach\u003c/code\u003e against HTTP \u003ccode\u003e/rpc\u003c/code\u003e, as detailed in the workarounds section of this brief, prioritizing WebSocket transport or REST endpoints.\u003c/li\u003e\n\u003cli\u003eImplement network-level access controls to restrict direct access to the \u003ccode\u003e/rpc\u003c/code\u003e endpoint to only trusted internal clients, as described in the workaround for this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:36:18Z","date_published":"2026-07-03T12:36:18Z","id":"https://feed.craftedsignal.io/briefs/2026-07-surrealdb-session-hijack/","summary":"A critical vulnerability (versions prior to 3.1.0) in SurrealDB's HTTP /rpc endpoint allowed unauthenticated attackers to enumerate session UUIDs via the `sessions` method, enabling full session hijack of any attached and authenticated session due to a lack of ownership checks, leading to unauthorized data manipulation and privilege escalation.","title":"SurrealDB HTTP /rpc Session Hijack Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-surrealdb-session-hijack/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SurrealDB (\u003c 3.1.0)"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","race-condition","webserver","surrealdb"],"_cs_type":"advisory","_cs_vendors":["SurrealDB"],"content_html":"\u003cp\u003eSurrealDB, a multi-model database, is affected by a critical time-of-check/time-of-use (TOCTOU) race condition (CVE-2024-XXXX, though not explicitly numbered in source) within its HTTP \u003ccode\u003e/rpc\u003c/code\u003e endpoint. This vulnerability impacts versions prior to \u003ccode\u003ev3.1.0\u003c/code\u003e and allows an unauthenticated attacker to escalate privileges. The flaw stems from concurrent requests sharing mutable authentication state; an unauthenticated request can race to inherit the session context of a legitimate, concurrently executing authenticated request. This mechanism, affecting the primary interface used by all official SurrealDB SDKs, allows attackers to bypass authentication and execute actions with the hijacked user's permissions, potentially leading to complete compromise of the SurrealDB instance if a root or namespace-level session is targeted.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user sends a legitimate \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/rpc\u003c/code\u003e endpoint of a vulnerable SurrealDB instance.\u003c/li\u003e\n\u003cli\u003eDuring the processing of this legitimate request, the server temporarily sets its internal, shared session state to the authenticated user's context.\u003c/li\u003e\n\u003cli\u003eAn unauthenticated attacker, with network access to the \u003ccode\u003e/rpc\u003c/code\u003e endpoint, concurrently sends a \u003ccode\u003ePOST\u003c/code\u003e request to the same \u003ccode\u003e/rpc\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDue to the TOCTOU race condition, the attacker's unauthenticated request is processed while the internal session state still holds the authenticated user's context.\u003c/li\u003e\n\u003cli\u003eThe attacker's request incorrectly inherits the session and privileges of the legitimate, authenticated user.\u003c/li\u003e\n\u003cli\u003eThe attacker's request is then executed with the elevated privileges of the hijacked session, bypassing authentication.\u003c/li\u003e\n\u003cli\u003eIf the hijacked session belonged to a root or namespace-level user, the attacker gains full control over the database, including reading, modifying, or deleting any data and creating persistent namespace-level users.\u003c/li\u003e\n\u003cli\u003eIf the hijacked session belonged to a scoped record user, the attacker's actions are limited to that user's defined permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAn unauthenticated attacker exploiting this race condition can achieve privilege escalation within the SurrealDB instance. The severity of the impact is directly tied to the privileges of the authenticated user whose session is hijacked. If a highly privileged user, such as a root or namespace-level administrator, has their session compromised, the attacker can gain complete control over the database, including the ability to read, modify, or delete any data, as well as create new persistent users at the namespace level. This could lead to data integrity loss, unauthorized data access, and persistent compromise of the database environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SurrealDB instances to version \u003ccode\u003e3.1.0\u003c/code\u003e or newer immediately to apply the patch that introduces per-request session isolation.\u003c/li\u003e\n\u003cli\u003eImplement network-level controls (e.g., firewall rules, WAFs) to restrict access to the \u003ccode\u003e/rpc\u003c/code\u003e endpoint to only trusted clients and applications, reducing the exposure surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:35:23Z","date_published":"2026-07-03T12:35:23Z","id":"https://feed.craftedsignal.io/briefs/2026-07-surrealdb-rpc-race-condition/","summary":"An unauthenticated time-of-check/time-of-use (TOCTOU) race condition exists in the HTTP /rpc endpoint of SurrealDB versions prior to 3.1.0, allowing an attacker to inherit the session and privileges of an authenticated user by sending concurrent requests, potentially leading to full control over the database if a highly privileged session is hijacked.","title":"SurrealDB HTTP RPC Session Race Condition Allows Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-07-surrealdb-rpc-race-condition/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SurrealDB (\u003c 3.1.0)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","websocket","server"],"_cs_type":"advisory","_cs_vendors":["SurrealDB"],"content_html":"\u003cp\u003eA high-severity Denial of Service vulnerability (GHSA-q729-696q-g9pq) has been identified in SurrealDB, affecting versions prior to 3.1.0. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted, deeply nested JSON payload to the server's WebSocket \u003ccode\u003e/rpc\u003c/code\u003e endpoint. The vulnerability lies in the value and JSON parser, which inconsistently failed to enforce configured recursion depth limits for nested objects, arrays, or parentheses. This oversight allows the malicious payload to exhaust server memory during parsing, leading to the immediate crash of the SurrealDB process. This issue is a partial fix for a previous vulnerability (GHSA-6r8p-hpg7-825g) that addressed a similar problem in the expression parser but overlooked the value/JSON parser code path. The immediate impact is service unavailability for affected SurrealDB instances, requiring manual restart.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance\u003c/strong\u003e: An attacker identifies a publicly exposed SurrealDB instance, potentially through port scanning or misconfiguration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification\u003c/strong\u003e: The attacker identifies the accessible WebSocket \u003ccode\u003e/rpc\u003c/code\u003e endpoint, which is vulnerable to unauthenticated input.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Crafting\u003c/strong\u003e: The attacker crafts a malicious JSON payload characterized by extremely deep nesting of objects (\u003ccode\u003e{}\u003c/code\u003e), arrays (\u003ccode\u003e[]\u003c/code\u003e), or parentheses (\u003ccode\u003e()\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConnection Establishment\u003c/strong\u003e: The attacker establishes a WebSocket connection to the identified \u003ccode\u003e/rpc\u003c/code\u003e endpoint on the vulnerable SurrealDB server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Request\u003c/strong\u003e: The crafted, deeply nested JSON payload is sent by the attacker over the established WebSocket connection to the SurrealDB server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Parsing\u003c/strong\u003e: The SurrealDB server's value and JSON parser attempts to process the incoming payload but fails to enforce its configured recursion depth limits due to the identified vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Exhaustion\u003c/strong\u003e: The uncontrolled recursive parsing of the deeply nested JSON payload rapidly consumes and exhausts the server's available memory resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial of Service\u003c/strong\u003e: The SurrealDB process crashes as a result of the memory exhaustion, rendering the database service completely unavailable to legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of this vulnerability is a complete Denial of Service for affected SurrealDB instances. An unauthenticated remote attacker can trigger a server crash with a single malicious WebSocket message, requiring no prior credentials or query execution privileges. This vulnerability can lead to significant downtime for any applications or services relying on the SurrealDB instance, causing operational disruption and potential data inconsistencies if the server crashes unexpectedly during write operations. There are no known workarounds other than restricting network access or patching.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-GHSA-q729-696q-g9pq immediately\u003c/strong\u003e: Upgrade all SurrealDB instances to version 3.1.0 or later to apply the fix for this vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRestrict Network Access\u003c/strong\u003e: Implement network access controls (firewalls, security groups) to restrict access to the WebSocket \u003ccode\u003e/rpc\u003c/code\u003e endpoint to only trusted clients or internal networks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:29:44Z","date_published":"2026-07-03T12:29:44Z","id":"https://feed.craftedsignal.io/briefs/2026-07-surrealdb-dos/","summary":"An unauthenticated remote attacker can exploit a Denial of Service vulnerability (GHSA-q729-696q-g9pq) in SurrealDB's value and JSON parser, which failed to enforce recursion depth limits when processing deeply nested JSON payloads sent to the WebSocket /rpc endpoint, leading to server memory exhaustion and process crashes.","title":"SurrealDB Denial of Service Vulnerability via JSON Parser (GHSA-q729-696q-g9pq)","url":"https://feed.craftedsignal.io/briefs/2026-07-surrealdb-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - SurrealDB","version":"https://jsonfeed.org/version/1.1"}