CVE-2025-71393 in SurrealDB
Summary
by MITRE • 07/18/2026
SurrealDB before 2.2.2 with scripting enabled fails to properly enforce recursion limits when native functions contain embedded JavaScript that issues new queries. Authenticated attackers can bypass the recursion limit by chaining native and JavaScript function calls to trigger infinite recursion and exhaust server memory.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/18/2026
This vulnerability affects SurrealDB versions prior to 22.2.2 and represents a critical recursion enforcement flaw that undermines the database's security boundaries. The issue manifests when scripting capabilities are enabled, creating an attack vector where authenticated users can manipulate the query execution engine through carefully crafted function call sequences. The root cause lies in the improper handling of recursion limits within the database's native function implementation, particularly when these functions contain embedded javascript code that can initiate new queries. This architectural weakness allows attackers to construct recursive call chains that circumvent the intended recursion depth controls.
The technical exploitation involves chaining together native functions and javascript execution contexts to create infinite recursion patterns. When a native function contains embedded javascript that issues additional queries, the system fails to properly track the recursion depth across these different execution contexts. This creates a scenario where the database server can be forced into an endless loop of function calls and query executions, ultimately consuming all available memory resources. The vulnerability specifically targets the recursion limiting mechanisms that should prevent such abuse, allowing attackers to bypass these protections through clever manipulation of the scripting interface.
From an operational impact perspective, this vulnerability enables authenticated denial-of-service attacks that can completely crash database servers or render them unresponsive. The memory exhaustion occurs gradually but persistently, making it difficult to detect and mitigate in real-time monitoring systems. Attackers can maintain their resource consumption for extended periods, potentially causing service degradation across multiple database operations. The attack requires only authenticated access to the system, which lowers the barrier to exploitation while still maintaining significant impact potential.
Mitigation strategies should focus on implementing proper recursion depth tracking across all execution contexts including native functions and embedded javascript environments. Database administrators should immediately upgrade to SurrealDB version 2.2.2 or later where this vulnerability has been patched. Additional protective measures include implementing strict resource limits on database sessions, monitoring for unusual query patterns that might indicate recursive abuse, and configuring proper access controls to limit script execution capabilities. Organizations should also consider implementing network-level protections to detect and block suspicious query sequences that could indicate exploitation attempts.
This vulnerability aligns with CWE-674 - Uncontrolled Recursion and represents a failure in the database's resource management controls. The attack pattern follows typical denial-of-service methodologies found in the MITRE ATT&CK framework under the 'Resource Exhaustion' technique category, specifically targeting computational resources through recursive execution patterns. The weakness demonstrates poor input validation and insufficient state tracking mechanisms that should prevent arbitrary recursion within database query engines. Security teams should implement comprehensive monitoring for recursive function call patterns and establish baseline behavior for normal database operations to detect anomalous activity indicative of this vulnerability exploitation.
The patch implementation in version 2.2.2 addresses the core issue by introducing proper cross-context recursion depth tracking and stricter enforcement mechanisms. This fix ensures that all execution paths including native functions with embedded javascript are subject to consistent recursion limits, preventing the chaining attack pattern that previously enabled unlimited recursion. Organizations should verify their upgrade implementations include proper testing of existing scripts and applications to ensure compatibility with the new recursion enforcement controls while maintaining necessary functionality for legitimate use cases.