CVE-2025-71392
Received Received - Intake

SurrealQL Injection in SurrealDB via Malicious Table/Field Names

Vulnerability report for CVE-2025-71392, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulnCheck

Description

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 fails to properly escape table and field names in the command-line export command. An authenticated System User with OWNER or EDITOR roles can create tables or fields with malicious names containing SurrealQL. When a higher-privileged user subsequently imports the exported backup, the injected SurrealQL executes, enabling privilege escalation and root-level takeover of the SurrealDB instance. Applications that let users define custom tables or fields are also exposed to a universal second-order SurrealQL injection even when query parameters are sanitized.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
surrealdb surrealdb to 2.0.5 (exc)
surrealdb surrealdb From 2.1.0 (inc) to 2.1.5 (exc)
surrealdb surrealdb From 2.2.0 (inc) to 2.2.2 (exc)
surrealdb surrealdb to 2.1.5 (exc)
surrealdb surrealdb to 2.2.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-71392 is a critical SurrealQL injection vulnerability in SurrealDB versions before 2.0.5, 2.1.5, and 2.2.2. It occurs because table and field names are not properly escaped during export operations. An authenticated user with OWNER or EDITOR roles can create malicious names containing SurrealQL code. When a higher-privileged user imports the exported backup, the injected code executes, allowing privilege escalation and full system compromise.

Detection Guidance

Check SurrealDB version with: surreal version. If version is below 2.0.5, 2.1.5, or 2.2.2, the system is vulnerable. Inspect exported backup files for suspicious table or field names containing SurrealQL code. Monitor for unexpected privilege escalation or unauthorized root access after import operations.

Impact Analysis

This vulnerability allows an attacker with low privileges to escalate to root-level access in SurrealDB. It can lead to complete system takeover, compromising confidentiality, integrity, and availability. Applications permitting custom table or field definitions are also at risk of second-order SurrealQL injection, even with sanitized queries.

Compliance Impact

This vulnerability could lead to unauthorized access, data breaches, or data manipulation, which may violate compliance requirements under GDPR (data protection and privacy) and HIPAA (protected health information security). Unauthorized privilege escalation and system compromise could result in unauthorized disclosure or alteration of sensitive data.

Mitigation Strategies

Upgrade SurrealDB to version 2.0.5, 2.1.5, or 2.2.2 or later immediately. If upgrading is not possible, manually inspect exported backup files for malicious SurrealQL code before importing. Restrict OWNER and EDITOR role privileges to trusted users only.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71392. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart