GHSA-q729-696q-g9pq
SurrealDB has Denial of Service in JSON parser due to nested objects
Details
The SurrealDB value and JSON parser did not enforce the configured recursion depth limit when parsing nested `{`, `[`, or `(` tokens. The expression parser already enforced the limit for these tokens; the value/JSON parser omitted it. An unauthenticated attacker could send a deeply nested JSON payload to the WebSocket `/rpc` endpoint and exhaust server memory, crashing the process.
This is an incomplete fix for [GHSA-6r8p-hpg7-825g](https://github.com/surrealdb/surrealdb/security/advisories/GHSA-6r8p-hpg7-825g), which addressed the same class of bug in the expression parser but did not cover the value/JSON parser code path.
### Impact
An unauthenticated remote attacker can crash a SurrealDB server with a single WebSocket message. No credentials or query execution privileges are required.
### Patches
A patch enforces the configured recursion depth limit in `parse_value` and `parse_json`, bringing them in line with the rest of the parser.
- Versions 3.1.0 and later are not affected by this issue.
### Workarounds
Restrict network access to the WebSocket `/rpc` endpoint to trusted clients.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 3.1.0 Upgrade surrealdb to 3.1.0 or newer (ecosystem crates.io).