CVE-2024-58370 PUBLISHED

SurrealDB before 1.1.0 Uncontrolled Recursion Denial of Service

Assigner: VulnCheck
Reserved: 18.07.2026 Published: 18.07.2026 Updated: 18.07.2026

SurrealDB versions before 1.1.0 fail to enforce recursion depth limits when parsing nested SurrealQL statements including IF, RELATE, and attribute access idioms. Authorized attackers can submit queries with excessive nesting depth to cause stack overflow and crash the server.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.1

Product Status

Vendor surrealdb
Product surrealdb
Versions Default: unaffected
  • affected from 0 to 1.1.0 (excl.)
  • Version 1.1.0 is unaffected

References

Problem Types

  • Uncontrolled Recursion CWE