CVE-2024-58366 in SurrealDBinfo

Summary

by MITRE • 07/18/2026

SurrealDB before 1.1.1 contains a format string vulnerability in the rquickjs Exception::throw_type function when scripting is enabled. Attackers with scripting privileges can supply format string sequences in error inputs to read arbitrary memory or execute code with SurrealDB process privileges.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/18/2026

The vulnerability identified in SurrealDB versions prior to 1.1.1 represents a critical format string vulnerability within the rquickjs Exception::throw_type function that exists when scripting capabilities are enabled. This flaw falls under the category of improper input validation and directly relates to CWE-134 which specifically addresses the use of format strings without proper validation or sanitization. The issue manifests when the database processes error messages containing format specifiers such as %s, %d, or %x within user-provided inputs that are subsequently passed to printf-style functions without appropriate sanitization.

When scripting is enabled within SurrealDB, legitimate users with scripting privileges can exploit this vulnerability by crafting malicious error inputs that contain format string sequences. The technical execution of this attack involves the attacker supplying specially formatted strings containing format specifiers that reference memory locations on the stack or heap. This allows for arbitrary memory reading capabilities where the attacker can extract sensitive data from memory segments, potentially including database credentials, internal structures, or other confidential information. The vulnerability extends beyond mere information disclosure as it can also enable code execution with the privileges of the SurrealDB process itself.

The operational impact of this vulnerability is severe and multifaceted. An attacker who successfully exploits this format string vulnerability gains the ability to execute arbitrary code within the context of the SurrealDB service, effectively providing full control over the database instance. This compromise can lead to unauthorized data access, data modification, complete database destruction, or even use as a foothold for further attacks within the network infrastructure. The privilege escalation aspect means that the attacker operates with the same permissions as the database service, potentially allowing them to access other system resources or escalate to higher privileges depending on how the SurrealDB process is configured.

The remediation strategy involves upgrading to SurrealDB version 1.1.1 or later where the format string vulnerability has been addressed through proper input sanitization and validation mechanisms. Organizations should also implement strict input validation for all user-provided data that could potentially be used in error message generation, ensuring that format specifiers are properly escaped or removed before processing. Additionally, system administrators should review and restrict scripting privileges to only trusted users and applications, implementing the principle of least privilege. This vulnerability aligns with ATT&CK technique T1059.007 for application command and script injection, while also demonstrating the importance of secure coding practices in preventing format string vulnerabilities that can lead to complete system compromise.

Security teams should monitor for potential exploitation attempts through log analysis and implement intrusion detection systems that can identify suspicious format string patterns in error handling routines. The fix implemented in version 1.1.1 likely includes proper sanitization of user inputs before they are processed by the exception handling functions, ensuring that format specifiers are treated as literal characters rather than executable instructions. Organizations using older versions should urgently assess their scripting configurations and consider disabling scripting features entirely if not absolutely required for operations, as this represents a fundamental security weakness that can be exploited remotely without authentication.

Responsible

VulnCheck

Reservation

07/18/2026

Disclosure

07/18/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!