CVE-2024-58370
Received Received - Intake

SurrealDB Stack Overflow via Excessive SurrealQL Nesting

Vulnerability report for CVE-2024-58370, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulnCheck

Description

SurrealDB versions before 1.1.0 fail to enforce recursion depth limits when parsing nested SurrealQL statements including IF, RELATE, and attribute access idioms. Authorized attackers can submit queries with excessive nesting depth to cause stack overflow and crash the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
surrealdb surrealdb to 1.1.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects SurrealDB versions before 1.1.0. It occurs when the system fails to limit recursion depth while parsing nested SurrealQL statements like IF, RELATE, or attribute access. Authorized attackers can exploit this by sending queries with excessive nesting, causing a stack overflow that crashes the server.

Detection Guidance

Monitor SurrealDB server logs for crashes or stack overflow errors during query processing. Check for excessive CPU or memory usage when processing complex nested queries. Use network traffic analysis to detect unusually deep or frequent nested SurrealQL queries from authorized users.

Impact Analysis

The impact includes server crashes due to stack overflow, leading to denial of service. This disrupts database operations and may cause downtime for applications relying on SurrealDB. Authorized users could exploit this to make the system unavailable.

Compliance Impact

This vulnerability primarily causes a denial of service (DoS) by crashing the SurrealDB server through stack overflow. It does not directly impact data confidentiality, integrity, or privacy. However, repeated crashes could disrupt system availability, potentially violating availability requirements in GDPR (Article 32) and HIPAA (Security Rule Β§164.308(a)(7)). Organizations must ensure server stability to maintain compliance.

Mitigation Strategies
  • Upgrade SurrealDB to version 1.1.0 or later to address the recursion depth issue.
  • Restrict untrusted users from executing arbitrary SurrealQL queries to limit attack surface.
  • Configure the SurrealDB process to restart automatically after crashes to maintain availability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-58370. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart