CVE-2025-71391
Received
Received - Intake
SurrealDB Net Module Null Byte HTTP Query Crash
Vulnerability report for CVE-2025-71391, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-18
Last updated on: 2026-07-18
Assigner: VulnCheck
Description
Description
SurrealDB versions before 2.2.2 contain an uncaught exception vulnerability in the net module that allows authenticated users to crash the database. Attackers can send crafted HTTP queries containing null bytes to the /sql endpoint, causing an unhandled exception that crashes the SurrealDB instance and any dependent applications.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| surrealdb | surrealdb | to 2.2.2 (exc) |
| surrealdb | surrealdb | 2.1.5 |
| surrealdb | surrealdb | 2.0.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |