CVE-2025-71396 in SurrealDBinfo

Summary

by MITRE • 07/18/2026

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 does not enforce a default execution-time limit on embedded JavaScript scripting functions when the scripting capability is explicitly enabled (via --allow-scripting or --allow-all). An authenticated attacker can submit long-running JavaScript functions to exhaust server resources and cause a denial of service. Scripting is disabled by default.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/18/2026

This vulnerability affects SurrealDB versions prior to specific patches, creating a critical security risk through improper resource management in embedded JavaScript execution environments. The flaw exists when scripting capabilities are explicitly enabled through command-line parameters such as --allow-scripting or --allow-all, which bypasses the default security configuration that disables scripting entirely. When enabled, the database system fails to implement a reasonable execution-time limit on JavaScript functions, allowing attackers to execute code that runs indefinitely without resource constraints.

The technical implementation of this vulnerability stems from the absence of time-bound execution controls within SurrealDB's JavaScript engine integration. Attackers with authentication credentials can submit malicious or intentionally prolonged JavaScript functions that consume excessive CPU and memory resources, leading to system performance degradation and ultimately denial of service conditions. This represents a classic resource exhaustion attack vector where the attacker leverages legitimate system capabilities to create an abnormal load condition.

The operational impact of this vulnerability extends beyond simple service disruption, as it enables authenticated attackers to potentially compromise entire database systems through sustained resource exhaustion attacks. The default disablement of scripting provides a basic security posture, but when explicitly enabled by administrators for legitimate purposes, the lack of execution time limits creates an exploitable gap in the system's defenses. This vulnerability aligns with CWE-778 (Insufficient Logging) and CWE-400 (Uncontrolled Resource Consumption) classifications, as it demonstrates both inadequate resource monitoring and unbounded resource allocation.

From an attacker perspective, this vulnerability can be exploited through the standard database interface using authenticated sessions, making it particularly dangerous in environments where administrative access might be compromised. The attack requires minimal sophistication since it only needs to submit JavaScript code that runs indefinitely, though the effectiveness depends on the server's computational resources and available memory. This weakness can be categorized under ATT&CK technique T1499.004 (Endpoint Denial of Service) and represents a privilege escalation vector when combined with authentication access.

The recommended mitigation involves updating to SurrealDB versions 2.0.5, 2.1.5, or 2.2.2, which implement proper execution-time limits for embedded JavaScript functions. Administrators should also consider implementing additional monitoring for unusual script execution patterns and establishing stricter resource allocation policies for database processes. The fix addresses the core issue by introducing time-based execution constraints that prevent any single JavaScript function from consuming excessive resources indefinitely, thereby maintaining system stability while preserving legitimate scripting functionality for authorized use cases.

Responsible

VulnCheck

Reservation

07/16/2026

Disclosure

07/18/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Interested in the pricing of exploits?

See the underground prices here!