CVE-2025-71397 PUBLISHED

SurrealDB before 2.2.2 CPU Exhaustion via nested FOR loops

Assigner: VulnCheck
Reserved: 16.07.2026 Published: 18.07.2026 Updated: 18.07.2026

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 allows authenticated users with OWNER or EDITOR permissions (at the root, namespace, or database level) to define custom database functions via DEFINE FUNCTION using nested FOR loops. Although a single loop's iteration count is constrained, nesting multiple loops (e.g., each with 1,000,000 iterations) is not, so an attacker can execute a function that consumes all server CPU time. Configured timeouts do not stop the execution, rendering the server unresponsive to other queries and connections until it is manually restarted.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.1

Product Status

Vendor surrealdb
Product surrealdb
Versions Default: unaffected
  • affected from 0 to 2.2.2 (excl.)
  • Version 2.2.2 is unaffected
Vendor surrealdb
Product surrealdb
Versions Default: unaffected
  • affected from 0 to 2.1.5 (excl.)
  • Version 2.1.5 is unaffected
Vendor surrealdb
Product surrealdb
Versions Default: unaffected
  • affected from 0 to 2.0.5 (excl.)
  • Version 2.0.5 is unaffected

Credits

  • cure53 reporter

References

Problem Types

  • Loop with Unreachable Exit Condition ('Infinite Loop') CWE