CVE-2024-58365 in SurrealDB
Summary
by MITRE • 07/18/2026
SurrealDB versions before 1.2.0 contain an uncaught exception vulnerability in the query executor when processing calls to nonexistent built-in functions. Authorized clients can craft pre-parsed queries invoking nonexistent functions to trigger a panic that crashes the server.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/18/2026
This vulnerability exists within SurrealDB versions prior to 1.2.0 and represents a critical uncaught exception scenario that can lead to denial of service conditions. The flaw manifests when the query executor encounters pre-parsed queries containing calls to built-in functions that do not exist within the database system. Authorized clients who possess valid credentials can exploit this weakness by crafting specific query syntax that references non-existent functions, thereby triggering an unhandled exception that results in a server crash or panic state.
The technical implementation of this vulnerability stems from inadequate error handling mechanisms within the query processing pipeline. When SurrealDB's query executor attempts to resolve function calls during query execution, it fails to properly validate whether the referenced built-in functions actually exist within the system's function registry. This lack of proper validation creates a path where legitimate authenticated users can manipulate query inputs to reference non-existent components, causing the system to transition into an unstable state where it cannot continue normal operations without manual intervention.
From an operational impact perspective, this vulnerability presents significant risks to database availability and system reliability. The panic condition triggered by invalid function calls causes complete server termination, requiring system administrators to restart the database service manually. This disruption affects all connected applications and services that depend on SurrealDB for data operations, potentially causing cascading failures in dependent systems. The vulnerability is particularly concerning because it requires only authenticated access to exploit, meaning that any user with valid credentials can potentially cause service interruption.
The vulnerability aligns with CWE-457: Use of Uninitialized Variable and CWE-691: Insufficient Control Flow Management, as it demonstrates inadequate input validation and improper exception handling in the query execution environment. From an ATT&CK framework perspective, this represents a privilege escalation and denial of service technique where authenticated adversaries can leverage their access rights to disrupt system availability. Organizations should implement immediate mitigations including upgrading to SurrealDB version 1.2.0 or later, which includes proper exception handling for invalid function references, along with monitoring systems that can detect unusual query patterns or repeated panic events that may indicate exploitation attempts.