GHSA-XX7M-69FF-9CRP: SurrealDB's Poison Pill: Crashing the Database with a Single String

Source: Dev.to

Overview

Vulnerability ID: GHSA-XX7M-69FF-9CRP
CVSS Score: 6.5 (Medium)
Published: 2026-02-12

A denial‑of‑service vulnerability exists in SurrealDB’s embedded JavaScript engine (QuickJS). By defining a scripting function that contains an excessively large string literal, an attacker can trigger a Null Pointer Dereference (CWE‑476) during the compilation phase. This bypasses Rust’s safety guarantees and causes the database process to terminate via a segmentation fault.

Vulnerability Details

• Component: QuickJS / rquickjs
• Attack Vector: Network (Authenticated)
• Impact: Process crash (Denial of Service)
• Exploit Status: Proof‑of‑Concept available

The flaw lies in how QuickJS handles massive string literals during compilation. An attacker can submit a crafted SurrealQL query that generates a huge string and feeds it to the JavaScript engine, causing an immediate crash.

Affected Versions

Remediation

Dependency Update

# Cargo.toml
dependencies:
- rquickjs = "0.6"
+ rquickjs = "0.11.0"

• Upgrade SurrealDB to a version that incorporates rquickjs ≥ 0.11.0.
• If embedded scripting is not required, disable it.
• Implement query analysis to reject excessively large string literals before they reach the execution engine.

Operational Steps

1. Check current version

   surreal version

2. Pull the latest Docker image

   docker pull surrealdb/surrealdb:latest

3. Restart the database instance
4. Verify the fix – In a testing environment, attempt to define a function with a large string. It should now return an error instead of crashing.

References

• GHSA Advisory: GHSA-XX7M-69FF-9CRP
• CWE‑476: Null Pointer Dereference

Read the full report for GHSA‑XX7M‑69FF‑9CRP on the advisory website for interactive diagrams and a complete exploit analysis.