CVE-2025-71392
Received
Received - Intake
SurrealQL Injection in SurrealDB via Malicious Table/Field Names
Vulnerability report for CVE-2025-71392, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-18
Last updated on: 2026-07-18
Assigner: VulnCheck
Description
Description
SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 fails to properly escape table and field names in the command-line export command. An authenticated System User with OWNER or EDITOR roles can create tables or fields with malicious names containing SurrealQL. When a higher-privileged user subsequently imports the exported backup, the injected SurrealQL executes, enabling privilege escalation and root-level takeover of the SurrealDB instance. Applications that let users define custom tables or fields are also exposed to a universal second-order SurrealQL injection even when query parameters are sanitized.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| surrealdb | surrealdb | to 2.0.5 (exc) |
| surrealdb | surrealdb | From 2.1.0 (inc) to 2.1.5 (exc) |
| surrealdb | surrealdb | From 2.2.0 (inc) to 2.2.2 (exc) |
| surrealdb | surrealdb | to 2.1.5 (exc) |
| surrealdb | surrealdb | to 2.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |