CVE-2025-71397 in SurrealDBinfo

Summary

by MITRE • 07/18/2026

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 allows authenticated users with OWNER or EDITOR permissions (at the root, namespace, or database level) to define custom database functions via DEFINE FUNCTION using nested FOR loops. Although a single loop's iteration count is constrained, nesting multiple loops (e.g., each with 1,000,000 iterations) is not, so an attacker can execute a function that consumes all server CPU time. Configured timeouts do not stop the execution, rendering the server unresponsive to other queries and connections until it is manually restarted.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/18/2026

This vulnerability exists in SurrealDB versions prior to 2.0.5, 2.1.x prior to 2.1.5, and 2.2.x prior to 2.2.2 where authenticated users with OWNER or EDITOR permissions at root, namespace, or database levels can exploit a design flaw in the function definition mechanism. The issue stems from insufficient loop iteration controls that allow nested FOR loops to execute without proper bounds checking, creating a potential denial of service scenario. When attackers define functions containing deeply nested loops with large iteration counts, each loop maintains its own iteration limit but the cumulative effect of multiple nested loops can exhaust all available CPU resources. This flaw specifically targets the DEFINE FUNCTION statement which permits users to create custom database functions, making it particularly dangerous in environments where users have elevated permissions.

The technical implementation of this vulnerability relies on the fact that while individual FOR loops within SurrealDB functions are capped at reasonable iteration limits, there is no mechanism to prevent the multiplication of these iterations through nesting. An attacker can construct a function with multiple nested loops where each loop contains one million iterations, resulting in a total execution count of one trillion operations that can completely monopolize CPU resources. The system's timeout mechanisms fail to interrupt this execution pattern because they are designed to handle individual query timeouts rather than detect and terminate runaway loop constructs. This design oversight creates an opportunity for privilege escalation attacks where users with relatively low-level permissions can cause complete service disruption.

The operational impact of this vulnerability is severe as it enables authenticated attackers to perform a denial of service attack against the database server, rendering it unresponsive to legitimate queries and connections until manual intervention occurs through server restart. This affects the availability aspect of the CIA triad and can result in significant downtime for applications relying on SurrealDB services. The vulnerability is particularly dangerous because it only requires users with OWNER or EDITOR permissions, which are typically granted to trusted personnel but could be compromised through credential theft or insider threats. Organizations may experience cascading failures as dependent systems become unavailable due to the database server's unresponsiveness.

Mitigation strategies should focus on implementing comprehensive loop iteration controls that prevent arbitrary nesting of loops within function definitions, establishing global execution time limits for custom functions, and restricting the ability to define complex nested constructs from user accounts with elevated permissions. Organizations should immediately upgrade to SurrealDB versions 2.0.5, 2.1.5, or 2.2.2 where this vulnerability has been patched, while also implementing monitoring mechanisms to detect unusual function execution patterns. Additional defensive measures include configuring stricter resource limits for database sessions and implementing automated alerting when CPU utilization exceeds predefined thresholds during function execution periods. This vulnerability aligns with CWE-835 which addresses infinite loops and improper loop termination, and represents a variant of the broader ATT&CK technique T1496 for resource exhaustion attacks through malicious code execution.

Responsible

VulnCheck

Reservation

07/16/2026

Disclosure

07/18/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!