CVE-2025-71391 in SurrealDBinfo

Summary

by MITRE • 07/18/2026

SurrealDB versions before 2.2.2 contain an uncaught exception vulnerability in the net module that allows authenticated users to crash the database. Attackers can send crafted HTTP queries containing null bytes to the /sql endpoint, causing an unhandled exception that crashes the SurrealDB instance and any dependent applications.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/18/2026

The vulnerability identified in SurrealDB versions prior to 2.2.2 represents a critical stability issue within the network module that fundamentally undermines system reliability and availability. This flaw exists in the handling of HTTP requests submitted to the /sql endpoint, where authenticated users can exploit a specific code path that leads to application termination. The root cause lies in the absence of proper exception handling for null byte sequences within query parsing logic, creating a scenario where malicious input directly translates into system failure rather than graceful error recovery.

The technical implementation of this vulnerability stems from insufficient input validation and error handling mechanisms within the net module's HTTP request processing pipeline. When authenticated users submit crafted HTTP queries containing null bytes to the /sql endpoint, the application fails to properly sanitize or reject these malformed inputs, resulting in an uncaught exception that propagates through the system architecture. This particular flaw demonstrates a classic lack of defensive programming practices where the software does not anticipate or handle edge cases in input processing, leading to abrupt termination rather than proper error management.

From an operational impact perspective, this vulnerability creates significant risk for database availability and data integrity within SurrealDB deployments. The crash condition affects not only the primary database instance but also any applications or services that depend on its stability for continued operation. System administrators face potential downtime scenarios where authenticated users can deliberately cause service disruption through carefully constructed HTTP requests, potentially leading to denial of service conditions that could impact business operations and user access to critical data systems.

The vulnerability aligns with CWE-401, which addresses improper handling of exceptions and errors in software applications, and maps to ATT&CK technique T1499.004 related to network disruption through application crashes. Organizations deploying affected versions should immediately implement mitigation strategies including patching to version 2.2.2 or later, implementing input validation controls at the network level, and establishing monitoring for unusual HTTP request patterns that might indicate exploitation attempts.

Mitigation approaches should include immediate deployment of the patched SurrealDB version 2.2.2 which addresses the uncaught exception handling issue through proper null byte validation and graceful error recovery mechanisms. Network-level defenses such as web application firewalls can provide additional protection by filtering requests containing null bytes before they reach the database engine. Security monitoring should focus on detecting anomalous HTTP query patterns and implementing rate limiting to prevent abuse of the vulnerability. Additionally, organizations should conduct comprehensive testing to ensure that all authenticated access points properly validate input parameters and maintain robust error handling throughout their application stack.

The incident highlights fundamental security principles around defensive programming and proper error handling in database systems, emphasizing that even authenticated users with legitimate access can potentially cause system instability through carefully crafted inputs. This vulnerability serves as a reminder of the importance of implementing comprehensive input validation and exception handling across all network-facing components of database applications to prevent both accidental crashes and deliberate exploitation attempts.

Responsible

VulnCheck

Reservation

07/16/2026

Disclosure

07/18/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!