CVE-2024-58369 in SurrealDB
Summary
by MITRE • 07/18/2026
SurrealDB versions before 1.1.1 fail to properly validate invocation of custom parameters and functions at root or namespace levels, causing server panic. Authorized clients can invoke these entities at unsupported levels to crash the SurrealDB server, resulting in denial of service.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/18/2026
This vulnerability exists in SurrealDB versions prior to 1.1.1 where the database engine fails to properly validate the invocation of custom parameters and functions at root or namespace levels. The flaw stems from inadequate input validation mechanisms that allow authorized clients to bypass normal execution boundaries and attempt to invoke database entities at unsupported hierarchical levels. When such invalid invocations occur, the server experiences a critical failure resulting in a complete system panic and subsequent crash.
The technical implementation of this vulnerability involves the database's parameter and function resolution system failing to enforce proper access controls and validation checks at the root or namespace level operations. This represents a classic case of improper input validation and insufficient privilege separation, which can be categorized under CWE-20 as "Improper Input Validation" and CWE-732 as "Incorrect Permission Assignment for Critical Resource." The vulnerability allows authenticated users to exploit the system's trust model by leveraging legitimate access privileges to perform operations that should be restricted at certain hierarchical levels.
The operational impact of this vulnerability is significant as it enables a denial of service attack that can completely disrupt database operations. Any authorized client with sufficient privileges can trigger the server panic by invoking custom parameters or functions at unsupported locations within the database hierarchy. This creates a scenario where legitimate database operations become unavailable, and the system requires manual intervention to recover from the crash state. The vulnerability essentially provides an attacker with a reliable method to cause system unavailability without requiring elevated privileges beyond standard authentication.
The mitigation strategy should focus on implementing comprehensive input validation at all levels of the database hierarchy, particularly for parameter and function invocation operations. Database administrators should immediately upgrade to SurrealDB version 1.1.1 or later where proper validation mechanisms have been implemented to prevent unauthorized access patterns at root or namespace levels. Additional protective measures include implementing stricter access controls, monitoring for unusual invocation patterns, and establishing automated alerting systems that can detect potential exploitation attempts. Organizations should also review their database access policies and ensure that privilege escalation is properly controlled to minimize the attack surface available to potentially compromised accounts.
This vulnerability aligns with several ATT&CK techniques including T1499.004 for "Endpoint Denial of Service" and T1078.004 for "Valid Accounts" as it leverages legitimate authentication to perform disruptive operations. The attack chain typically involves gaining authorized access to the system followed by exploiting the validation flaw to cause service disruption. Security teams should monitor for patterns of function or parameter invocation that deviate from normal operational behavior and implement network-level controls to prevent exploitation attempts.