CVE-2024-58368 in SurrealDB
Summary
by MITRE • 07/18/2026
SurrealDB versions before 1.1.0 fail to properly parse the ID, DB, and NS headers in HTTP REST API requests containing special characters. Unauthenticated attackers can send crafted HTTP requests with malformed header values to trigger an uncaught exception that crashes the server.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/18/2026
This vulnerability affects SurrealDB versions prior to 1.1.0 and represents a critical server-side application error that stems from inadequate input validation within the HTTP REST API implementation. The flaw specifically manifests when the database processes ID, DB, and NS headers in incoming requests, failing to properly sanitize or parse header values that contain special characters. This weakness creates an unhandled exception condition that results in complete server crash, effectively enabling a denial-of-service attack against the database service.
The technical root cause of this vulnerability aligns with CWE-20, which addresses "Improper Input Validation" in software systems. When attackers craft malicious HTTP requests containing special characters within these header fields, the SurrealDB server processes these values without proper sanitization mechanisms. The system's failure to anticipate and handle malformed header data leads to an uncaught exception that terminates the database process entirely. This behavior constitutes a classic example of insufficient exception handling in web applications, where malformed input directly translates into application termination rather than graceful error recovery.
From an operational perspective, this vulnerability presents a severe risk to database availability and system reliability since it allows unauthenticated attackers to remotely crash the SurrealDB server through simple HTTP request crafting. The attack requires minimal privileges and can be executed without prior authentication, making it particularly dangerous in production environments where database uptime is critical. The impact extends beyond simple service disruption as server crashes can result in data inconsistency issues, transaction rollbacks, and potential loss of recent database modifications.
The vulnerability demonstrates characteristics consistent with ATT&CK technique T1499.004, which involves "Domain or File System Permissions Modification" through service interruption methods. Attackers can leverage this flaw to perform sustained denial-of-service attacks that may require manual intervention to restore database services. The lack of authentication requirements means that any external party can potentially exploit this vulnerability, making it particularly concerning for publicly accessible databases.
Mitigation strategies should include immediate upgrade to SurrealDB version 1.1.0 or later where the parsing issues have been resolved through enhanced input validation and proper header handling mechanisms. Administrators should also implement network-level protections such as firewall rules that restrict access to database endpoints, rate limiting to prevent abuse of the vulnerable API, and monitoring solutions that can detect unusual crash patterns or service interruptions. Additionally, organizations should conduct comprehensive security testing of their SurrealDB deployments to identify any similar parsing vulnerabilities in other header fields or API endpoints within their database infrastructure.