CVE-2024-58357
Received Received - Intake

SurrealDB rand::time() Uncaught Exception Denial of Service

Vulnerability report for CVE-2024-58357, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulnCheck

Description

SurrealDB versions before 2.1.0 contain an uncaught exception vulnerability in the rand::time() function that panics when unwrap is called on a None result from timestamp_opt. Authorized clients can repeatedly invoke rand::time() to reliably trigger server panics and cause denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
surrealdb surrealdb to 2.1.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects SurrealDB versions before 2.1.0. It involves an uncaught exception in the rand::time() function where calling unwrap on a None result from timestamp_opt causes a server panic. Authorized clients can repeatedly trigger this to cause denial of service.

Detection Guidance

Monitor SurrealDB server logs for repeated crashes or panics, particularly those involving the rand::time() function. Check for excessive calls to this function by authorized clients. Use network monitoring tools to detect unusual traffic patterns targeting SurrealDB instances.

Impact Analysis

An attacker with authorized access could exploit this to crash the SurrealDB server repeatedly, leading to service unavailability. This results in downtime and potential data access issues for users relying on the database.

Compliance Impact

This vulnerability primarily impacts availability, which is a key aspect of compliance for GDPR and HIPAA. Downtime could lead to violations if data access is disrupted during critical operations.

Mitigation Strategies

Upgrade SurrealDB to version 2.1.0 or later immediately. If upgrading is not possible, restrict access to the rand::time() function or implement rate limiting for client calls. Ensure the SurrealDB process is configured to auto-restart after crashes to minimize downtime.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-58357. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart