CVE-2024-58361 PUBLISHED

SurrealDB before 2.0.4 Denial of Service via Parser Exception

Assigner: VulnCheck
Reserved: 18.07.2026 Published: 18.07.2026 Updated: 18.07.2026

SurrealDB versions before 2.0.4 contain an uncaught exception handling vulnerability in the parser error rendering code when processing empty strings. Authorized clients can execute malformed queries with empty string conversions to record, duration, or datetime types that cause a panic in error rendering, crashing the server.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.1

Product Status

Vendor surrealdb
Product surrealdb
Versions Default: unaffected
  • affected from 2.0.0 to 2.0.4 (excl.)
  • Version 2.0.4 is unaffected
Vendor surrealdb
Product surrealdb
Versions Default: unaffected
  • affected from 2.0.0 to 2.0.4 (excl.)
  • Version 2.0.4 is unaffected

References

Problem Types

  • Uncaught Exception CWE