GHSA-wjjj-24cx-f28g
SurrealDB has unauthenticated remote DoS via malformed RPC `use` call
Details
A single unauthenticated WebSocket message to `/rpc` crashed the SurrealDB server. Sending `use { db: "x" }` without first selecting a namespace hit `.expect("namespace should be set")` in the `use` handler; because `surrealdb-core` is built with `panic = 'abort'`, the panic terminated the process. `use` is callable before `signin`, and the per-method capability check passes by default for guest callers — so no credentials, token, or `--allow-guests` flag are required.
### Impact
An unauthenticated remote attacker who could reach the `/rpc` endpoint could crash the SurrealDB server with a single WebSocket message. No credentials, token, session knowledge, or capability are required.
### Patches
A patch has been introduced that returns a typed `invalid_params` response when `db` is set on a session with no `ns`, replacing the panic.
- Versions 3.1.0 and later are not affected by this issue.
### Workarounds
Affected users who are unable to update should restrict network access to the `/rpc` endpoint to trusted clients, and run SurrealDB under a process supervisor that restarts on crash.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 3.1.0 Upgrade surrealdb to 3.1.0 or newer (ecosystem crates.io).