CVE-2025-71393
Received Received - Intake

SurrealDB Recursion Bypass via JavaScript Query Chaining

Vulnerability report for CVE-2025-71393, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulnCheck

Description

SurrealDB before 2.2.2 with scripting enabled fails to properly enforce recursion limits when native functions contain embedded JavaScript that issues new queries. Authenticated attackers can bypass the recursion limit by chaining native and JavaScript function calls to trigger infinite recursion and exhaust server memory.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
surrealdb surrealdb to 2.2.2 (exc)
surrealdb surrealdb to 2.1.5 (exc)
surrealdb surrealdb to 2.0.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a memory exhaustion vulnerability in SurrealDB versions before 2.2.2 when scripting is enabled. It occurs when native functions contain embedded JavaScript that issues new queries, bypassing recursion limits. This triggers infinite recursion, consuming server memory until the system crashes.

Detection Guidance

To detect this vulnerability, check if SurrealDB is running with scripting enabled using --allow-scripting, --allow-all, or environment variables like SURREAL_CAPS_ALLOW_SCRIPT. Verify the version with 'surreal version' or check the running process. Monitor for high memory usage or server crashes during query execution.

Impact Analysis

Authenticated attackers could exploit this to perform a denial-of-service attack, crashing the SurrealDB server by exhausting its memory. This would disrupt database operations and make the system unavailable to legitimate users.

Compliance Impact

This vulnerability primarily impacts system availability by enabling denial-of-service attacks through memory exhaustion. While it does not directly violate GDPR or HIPAA, it could lead to non-compliance if the affected system is used to process or store regulated data. For example, GDPR requires appropriate security measures to ensure data availability and integrity, and a DoS condition could disrupt access to personal data. Similarly, HIPAA mandates safeguards against unauthorized access or disruptions that could compromise protected health information.

Mitigation Strategies

Immediately upgrade SurrealDB to versions 2.0.5, 2.1.5, or 2.2.2 or later. Alternatively, disable scripting by starting SurrealDB with --deny-scripting or setting SURREAL_CAPS_DENY_SCRIPT. Restrict authenticated user access to prevent exploitation until patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71393. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart