VDB
KO
MEDIUM 4.3

GHSA-6g9v-7gq3-p2c6

SurrealDB: Authenticated callers can read fields hidden by field-level SELECT permissions via error messages

Details

A record user with UPDATE access could read field values that field-level SELECT permissions hid from them. Arithmetic operators and `extend` embedded the raw operand into their error messages, and UPDATE permission checks evaluate against the unreduced document — so triggering such an error against a hidden field returned its value in the resulting error.

### Impact

A record user issues an UPDATE that performs an incompatible operation against a hidden field — e.g. `UPDATE person:me SET probe = email + 1` when `email` is a string — and reads the value from the returned error (`Tried to compute "alice@example.com" + 1 …`). One field per operation, but the attacker can repeat against any field on any record they can UPDATE.

### Patches

A patch has been introduced that replaces the raw operand in every `try_*` operator and in `extend` with the operand's type name (`"string"`, `"int"`, `"array"`, etc.).

- Versions 3.1.0 and later are not affected by this issue.

### Workarounds

Affected users who are unable to update should not grant UPDATE permission on records whose field-level SELECT permissions are expected to hide values from the same caller.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / surrealdb
Introduced in: 0 Fixed in: 3.1.0

Upgrade surrealdb to 3.1.0 or newer (ecosystem crates.io).

References