VDB
KO
HIGH 7.5

GHSA-wjjj-24cx-f28g

SurrealDB has unauthenticated remote DoS via malformed RPC `use` call

Details

A single unauthenticated WebSocket message to `/rpc` crashed the SurrealDB server. Sending `use { db: "x" }` without first selecting a namespace hit `.expect("namespace should be set")` in the `use` handler; because `surrealdb-core` is built with `panic = 'abort'`, the panic terminated the process. `use` is callable before `signin`, and the per-method capability check passes by default for guest callers — so no credentials, token, or `--allow-guests` flag are required.

### Impact

An unauthenticated remote attacker who could reach the `/rpc` endpoint could crash the SurrealDB server with a single WebSocket message. No credentials, token, session knowledge, or capability are required.

### Patches

A patch has been introduced that returns a typed `invalid_params` response when `db` is set on a session with no `ns`, replacing the panic.

- Versions 3.1.0 and later are not affected by this issue.

### Workarounds

Affected users who are unable to update should restrict network access to the `/rpc` endpoint to trusted clients, and run SurrealDB under a process supervisor that restarts on crash.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / surrealdb
Introduced in: 0 Fixed in: 3.1.0

Upgrade surrealdb to 3.1.0 or newer (ecosystem crates.io).

References