VDB
EN
MEDIUM 6.5

GHSA-q8qp-67f9-wr3f

SurrealDB vulnerable to Denial of Service due to nested types annotations

상세

The SurrealDB type/kind parser did not enforce the configured recursion depth limit when parsing nested type annotations. The expression parser already enforced the limit for analogous constructs; the kind parser omitted it. An authenticated attacker could send a query with deeply nested type annotations (e.g., `array<option<array<option<...>>>>`) and exhaust server memory, crashing the process.

This is an incomplete fix for [GHSA-6r8p-hpg7-825g](https://github.com/surrealdb/surrealdb/security/advisories/GHSA-6r8p-hpg7-825g), which addressed the same class of bug in the expression parser but did not cover the kind/type annotation parser code path.

### Impact

An authenticated user with query execution privileges can crash a SurrealDB server with a single WebSocket message containing deeply nested type annotations.

### Patches

A patch has been introduced that wraps `parse_concrete_kind` and the `OPTION<...>` arm of `parse_inner_kind` with `enter_object_recursion!`, bounding the recursive cycle `parse_concrete_kind → parse_inner_kind → parse_inner_single_kind → parse_concrete_kind` at the configured `object_recursion_limit` (default 100). Regression tests cover both cast and `DEFINE FIELD` paths.

- Versions 3.1.0 and later are not affected by this issue.

### Workarounds

Restrict the ability of untrusted users to execute arbitrary queries via the `--deny-arbitrary-query` capability flag for the affected user classes (guest, record, or system). Disabling untrusted access to the WebSocket `/rpc` endpoint also prevents exploitation; the HTTP `/sql` endpoint's 1 MiB body limit constrains nesting to a depth where OOM is not feasible.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

crates.io / surrealdb
최초 영향 버전: 0 수정 버전: 3.1.0

Upgrade surrealdb to 3.1.0 or newer (ecosystem crates.io).

참고