GHSA-q8qp-67f9-wr3f
SurrealDB vulnerable to Denial of Service due to nested types annotations
Details
The SurrealDB type/kind parser did not enforce the configured recursion depth limit when parsing nested type annotations. The expression parser already enforced the limit for analogous constructs; the kind parser omitted it. An authenticated attacker could send a query with deeply nested type annotations (e.g., `array<option<array<option<...>>>>`) and exhaust server memory, crashing the process.
This is an incomplete fix for [GHSA-6r8p-hpg7-825g](https://github.com/surrealdb/surrealdb/security/advisories/GHSA-6r8p-hpg7-825g), which addressed the same class of bug in the expression parser but did not cover the kind/type annotation parser code path.
### Impact
An authenticated user with query execution privileges can crash a SurrealDB server with a single WebSocket message containing deeply nested type annotations.
### Patches
A patch has been introduced that wraps `parse_concrete_kind` and the `OPTION<...>` arm of `parse_inner_kind` with `enter_object_recursion!`, bounding the recursive cycle `parse_concrete_kind → parse_inner_kind → parse_inner_single_kind → parse_concrete_kind` at the configured `object_recursion_limit` (default 100). Regression tests cover both cast and `DEFINE FIELD` paths.
- Versions 3.1.0 and later are not affected by this issue.
### Workarounds
Restrict the ability of untrusted users to execute arbitrary queries via the `--deny-arbitrary-query` capability flag for the affected user classes (guest, record, or system). Disabling untrusted access to the WebSocket `/rpc` endpoint also prevents exploitation; the HTTP `/sql` endpoint's 1 MiB body limit constrains nesting to a depth where OOM is not feasible.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 3.1.0 Upgrade surrealdb to 3.1.0 or newer (ecosystem crates.io).