CVE-2024-58357 in SurrealDBinfo

Summary

by MITRE • 07/18/2026

SurrealDB versions before 2.1.0 contain an uncaught exception vulnerability in the rand::time() function that panics when unwrap is called on a None result from timestamp_opt. Authorized clients can repeatedly invoke rand::time() to reliably trigger server panics and cause denial of service.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/18/2026

The vulnerability exists within SurrealDB versions prior to 2.1.0 where the rand::time() function contains an uncaught exception that leads to server panic conditions. This flaw specifically manifests when the timestamp_opt method returns a None value that is subsequently unwrapped without proper error handling. The technical implementation demonstrates a classic case of improper error propagation where the code assumes a successful timestamp conversion while failing to account for potential None values that can occur during time processing operations. The vulnerability operates at the core level of the database's random number generation functionality, directly impacting the system's stability and availability.

The operational impact of this vulnerability is significant as it enables authenticated clients to reliably trigger server panics through repeated invocation of the rand::time() function. This creates a deterministic denial of service condition where legitimate users can systematically disrupt database operations by making repeated calls to the vulnerable function. The vulnerability does not require special privileges beyond authentication access, making it particularly dangerous in environments where multiple users have database access. The panic conditions result in complete server shutdown or restart requirements, effectively preventing legitimate database operations from proceeding.

This vulnerability aligns with CWE-476 which describes NULL Pointer Dereference issues and follows patterns commonly seen in software that fails to properly handle optional values. The ATT&CK framework categorizes this as a Denial of Service attack vector through application-level exploitation, specifically targeting the availability component of the CIA triad. The flaw represents a fundamental error in defensive programming practices where developers assume certain operations will always succeed without proper null checking or error handling mechanisms.

Mitigation strategies should focus on implementing comprehensive error handling throughout the rand::time() function implementation, ensuring that all potential None values from timestamp_opt are properly checked before unwrapping operations occur. The fix requires updating the code to use proper option handling patterns such as match statements or the ? operator for graceful error propagation rather than direct unwrap calls. Additionally, rate limiting mechanisms should be implemented to prevent abuse of this functionality by authorized users and monitoring should be established to detect unusual patterns of rand::time() invocation that could indicate malicious activity. The most effective solution involves patching the software to version 2.1.0 or later where the vulnerability has been properly addressed through improved error handling protocols.

Responsible

VulnCheck

Reservation

06/08/2026

Disclosure

07/18/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!