CVE-2025-71395 in SurrealDB
Summary
by MITRE • 07/18/2026
SurrealDB versions before 2.2.2 contain a memory exhaustion vulnerability in the string::replace function that fails to restrict resulting string length when using regex patterns. An authenticated attacker can craft a malicious query to exhaust server memory through unbounded string allocations, causing denial of service.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/18/2026
The SurrealDB database system before version 2.2.2 contains a critical memory exhaustion vulnerability within its string::replace function that operates with regular expression patterns. This flaw stems from the absence of proper bounds checking on the resulting string length when processing regex-based replacements, creating a scenario where an attacker can manipulate input parameters to generate arbitrarily large output strings. The vulnerability specifically affects the string manipulation functionality that processes regular expressions, allowing for uncontrolled memory allocation during query execution.
The technical implementation of this flaw resides in how SurrealDB handles regex pattern matching and replacement operations within its string::replace function. When a user provides a regex pattern along with replacement text, the system should validate that the resulting string does not exceed predetermined memory limits or processing constraints. However, the current implementation fails to enforce such restrictions, enabling attackers to craft inputs that cause exponential growth in memory consumption during processing. This occurs particularly when regex patterns are designed to match multiple occurrences within input strings, leading to massive output expansion that can quickly exhaust available server resources.
The operational impact of this vulnerability extends beyond simple denial of service conditions, as it represents a serious resource exhaustion threat that can affect system availability and stability. An authenticated attacker with access to the database can construct malicious queries that trigger unbounded string allocations, consuming all available memory on the target server. This type of attack can be particularly devastating in production environments where database resources are limited or where multiple concurrent connections exist. The vulnerability affects all versions prior to 2.2.2 and represents a significant risk to systems relying on SurrealDB's string manipulation capabilities.
From a cybersecurity perspective, this vulnerability aligns with CWE-770, which addresses allocation of resources without limits or with inadequate limits, and maps to ATT&CK technique T1499.004 for resource exhaustion attacks. The flaw demonstrates poor input validation practices and inadequate bounds checking in string processing functions, creating a pathway for attackers to exploit memory management weaknesses. Organizations should implement immediate mitigations including upgrading to SurrealDB version 2.2.2 or later, which contains the necessary fixes to prevent unbounded string expansion during regex operations. Additional protective measures include implementing query timeout mechanisms, monitoring for unusual memory consumption patterns, and restricting database access privileges to minimize potential attack surface.
The vulnerability represents a classic example of how seemingly benign string manipulation functions can become security risks when proper resource management is absent from implementation. This flaw highlights the importance of defensive programming practices in database systems where user inputs directly influence memory allocation decisions. The fix implemented in version 2.2.2 likely includes enforcing maximum output string length constraints and implementing proper memory limits during regex processing operations to prevent attackers from exploiting this vector for denial of service attacks.