CVE-2025-71391 PUBLISHED

SurrealDB before 2.2.2 Denial of Service via /sql endpoint

Assigner: VulnCheck
Reserved: 16.07.2026 Published: 18.07.2026 Updated: 18.07.2026

SurrealDB versions before 2.2.2 contain an uncaught exception vulnerability in the net module that allows authenticated users to crash the database. Attackers can send crafted HTTP queries containing null bytes to the /sql endpoint, causing an unhandled exception that crashes the SurrealDB instance and any dependent applications.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.1

Product Status

Vendor surrealdb
Product surrealdb
Versions Default: unaffected
  • affected from 0 to 2.2.2 (excl.)
  • Version 2.2.2 is unaffected
Vendor surrealdb
Product surrealdb
Versions Default: unaffected
  • affected from 0 to 2.1.5 (excl.)
  • Version 2.1.5 is unaffected
Vendor surrealdb
Product surrealdb
Versions Default: unaffected
  • affected from 0 to 2.0.5 (excl.)
  • Version 2.0.5 is unaffected

Credits

  • castilho101 reporter

References

Problem Types

  • Uncaught Exception CWE