CVE-2024-58370 in SurrealDB
Summary
by MITRE • 07/18/2026
SurrealDB versions before 1.1.0 fail to enforce recursion depth limits when parsing nested SurrealQL statements including IF, RELATE, and attribute access idioms. Authorized attackers can submit queries with excessive nesting depth to cause stack overflow and crash the server.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/18/2026
This vulnerability affects SurrealDB versions prior to 1.1.0 and represents a critical recursion depth limitation flaw that can be exploited by authorized attackers to trigger stack overflow conditions. The issue manifests when parsing nested SurrealQL statements that involve conditional constructs such as IF statements, relationship operations like RELATE, and attribute access patterns. The database engine fails to implement proper recursion depth controls during query parsing, allowing maliciously crafted queries to exhaust the available stack space through excessive nesting levels.
The technical implementation of this vulnerability stems from inadequate input validation and parsing logic within the SurrealDB query processor. When an attacker submits a query containing deeply nested structures, the parser recursively processes each level without enforcing maximum depth constraints. This recursive processing continues until the system stack becomes exhausted, resulting in a crash that disrupts database operations and potentially exposes the system to denial of service conditions. The flaw operates at the parsing layer of the database engine, making it particularly dangerous as it can affect legitimate authenticated users who might inadvertently construct overly complex queries or malicious actors who deliberately exploit this weakness.
The operational impact of this vulnerability extends beyond simple service disruption to include potential data integrity concerns and system availability issues. An attacker with valid credentials can systematically crash the database server by submitting increasingly nested queries, effectively rendering the database unusable until manual intervention occurs through restart procedures. This type of attack aligns with common denial of service patterns where the attacker leverages legitimate system functionality against itself, making detection more challenging as the malicious activity appears to be normal database operations. The vulnerability particularly affects environments where database users have elevated privileges and where automated query processing might inadvertently trigger deep recursion scenarios.
Mitigation strategies for this vulnerability should focus on implementing proper recursion depth controls within the SurrealDB parser implementation. System administrators should immediately upgrade to SurrealDB version 1.1.0 or later, which includes built-in recursion depth limiting mechanisms that prevent excessive nesting during query parsing. Additionally, organizations should implement monitoring solutions to detect unusual query complexity patterns and establish automated alerts for potential exploitation attempts. From a defensive perspective, this vulnerability demonstrates the importance of implementing proper input validation and resource limitation controls as outlined in common weakness enumeration cwe-674 which specifically addresses uncontrolled recursion scenarios. The mitigation approach also aligns with attack technique tactics and techniques described in the attack tree framework where adversaries leverage legitimate system functions to create resource exhaustion conditions that impact availability and service integrity.
This vulnerability type represents a classic example of how seemingly benign parsing operations can become security threats when proper depth controls are absent from system design. The flaw exists primarily due to insufficient consideration of resource consumption patterns during query processing, particularly around recursive parsing algorithms that traverse nested data structures. Security teams should also consider implementing query complexity limits and execution time constraints as additional protective measures against similar recursion-based vulnerabilities in database systems. The remediation process requires not only software updates but also comprehensive testing to ensure that legitimate complex queries continue to function while preventing the exploitation of depth limitations.