CVE-2024-58368
Received Received - Intake

SurrealDB HTTP REST API Header Parsing Flaw Leads to Server Crash

Vulnerability report for CVE-2024-58368, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulnCheck

Description

SurrealDB versions before 1.1.0 fail to properly parse the ID, DB, and NS headers in HTTP REST API requests containing special characters. Unauthenticated attackers can send crafted HTTP requests with malformed header values to trigger an uncaught exception that crashes the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
surrealdb surrealdb to 1.1.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

SurrealDB versions before 1.1.0 fail to properly parse the ID, DB, and NS headers in HTTP REST API requests when they contain special characters. This causes an uncaught exception that crashes the server, leading to a denial of service (DoS) attack. Unauthenticated attackers can exploit this by sending crafted HTTP requests with malformed header values.

Detection Guidance

Monitor SurrealDB server logs for crashes or uncaught exceptions during HTTP requests. Check for malformed header values in ID, DB, or NS fields. Use network traffic analysis tools like tcpdump or Wireshark to inspect HTTP headers for suspicious patterns.

Impact Analysis

This vulnerability allows unauthenticated attackers to crash the SurrealDB server by sending malicious HTTP requests. The impact is a denial of service, making the database unavailable for legitimate users. The server must be manually restarted or configured to auto-restart after a crash.

Compliance Impact

This vulnerability primarily causes a denial of service by crashing the SurrealDB server, which could lead to prolonged downtime and potential data unavailability. For GDPR, this may impact the availability of personal data processing systems, potentially violating Article 32 requirements for resilience and availability. For HIPAA, it could disrupt access to protected health information, affecting the integrity and availability of electronic protected health information (ePHI) as required by the Security Rule.

Mitigation Strategies

Upgrade SurrealDB to version 1.1.0 or later immediately. Restrict network access to the HTTP REST API endpoint. Implement auto-restart mechanisms for the SurrealDB process to recover from crashes. Consider disabling the API if not required.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-58368. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart