CVE-2025-71394 in SurrealDB
Summary
by MITRE • 07/18/2026
SurrealDB versions before 2.2.2 contain a local file read vulnerability in the DEFINE ANALYZER statement that allows authenticated users to read arbitrary files on the file system. Attackers with root, namespace, or database level privileges can point analyzers to arbitrary file paths and exfiltrate content from two-column tab-separated files.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/18/2026
This vulnerability exists within SurrealDB versions prior to 2.2.2 and represents a critical local file read flaw that can be exploited through the DEFINE ANALYZER statement. The vulnerability stems from insufficient input validation and path sanitization mechanisms within the database engine's analyzer configuration functionality. Authenticated users with root, namespace, or database level privileges can manipulate the analyzer definition process to reference arbitrary file paths on the underlying file system. This creates a direct pathway for unauthorized data exfiltration from files that would otherwise be protected by standard file system permissions and access controls.
The technical exploitation occurs when an attacker constructs a malicious DEFINE ANALYZER statement that points to sensitive files within the system's file hierarchy. The vulnerability specifically targets two-column tab-separated files, which suggests that the implementation may have particular parsing logic or validation rules that make these file types susceptible to manipulation. This represents a classic path traversal vulnerability where the database engine fails to properly validate and sanitize file paths provided during analyzer configuration. The flaw aligns with CWE-22 Path Traversal and CWE-73 Requested Resource from Untrusted Input patterns, as it allows external input to influence file system access decisions.
The operational impact of this vulnerability is severe for organizations using affected SurrealDB versions, as it provides authenticated attackers with direct access to potentially sensitive data stored in tab-separated files across the system. Attackers can leverage this capability to exfiltrate configuration files, log data, user information, or other confidential resources that may contain credentials, personal data, or business-critical information. The vulnerability undermines the fundamental security boundaries of the database system and could enable further attacks if sensitive files contain authentication tokens, encryption keys, or other exploitable information.
Organizations should immediately upgrade to SurrealDB version 2.2.2 or later to remediate this vulnerability. Additionally, implementing proper access controls and privilege management can help limit the potential impact by reducing the number of authenticated users with root, namespace, or database level permissions. Network segmentation and monitoring of database activities can help detect suspicious DEFINE ANALYZER statements that attempt to access unusual file paths. This vulnerability also highlights the importance of validating all user-supplied input in database configuration operations and implementing proper path validation mechanisms before file system access is granted. The ATT&CK framework categorizes this as a privilege escalation technique through legitimate credentials, where attackers leverage existing permissions to access unauthorized resources within the system's file structure.