VDB
EN
MEDIUM 6.5

GHSA-4v76-cw68-4vc9

SurrealDB: Crafting malicious LIVE queries writes to the database, resulting in DoS, without permission to the table required

상세

A `LIVE` query whose `WHERE` clause evaluates to an error caused the source data modifier (the user creating, updating, or deleting a record on the watched table) to fail instead. Calling any arbitrary SurrealQL function with a typed parameter and passing a value of the wrong type — for example `LIVE SELECT * FROM t WHERE string::trim(deny)` — triggered an evaluation error inside the LIVE notification path. That error then propagated through to the triggering write, rolling back the attempted change.

While such a `LIVE` query was registered, all `CREATE`, `UPDATE`, and `DELETE` operations on the watched table failed — including those issued by a root user — for as long as the registration remained active. Registering the `LIVE` required `select` permission on the table; no other permission on the table was needed.

### Impact

An authenticated user with `select` permission on a table can prevent all `CREATE`, `UPDATE`, and `DELETE` operations on that table — by any other user, up to and including root — for the lifetime of a single registered `LIVE` query. Service is restored when the `LIVE` query is killed or the session that registered it ends.

### Patches

A patch has been introduced that:

1. **Decouples LIVE query evaluation errors from the source transaction** — when `lq_check` returns an error during the LIVE notification path, the error is now reported to the LIVE subscriber as an `Action::Error` notification and the LIVE processing path returns `Ok(())`. The triggering write proceeds normally. 2. **Defers the error notification until after the permission check** — the `Action::Error` notification is only delivered after the LIVE subscription's `PERMISSIONS` clause has been evaluated, so unauthorised subscribers do not learn even that an error occurred (closing an information-disclosure side channel introduced by the first part of the fix).

- Versions 3.1.0 and later are not affected by this issue.

### Workarounds

Users unable to upgrade should restrict the ability of untrusted users to register `LIVE` queries by removing the `select` permission on tables they want to keep writeable, or by gating LIVE registration at the application layer.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

crates.io / surrealdb
최초 영향 버전: 0 수정 버전: 3.1.0

Upgrade surrealdb to 3.1.0 or newer (ecosystem crates.io).

참고