CVE-2025-71396
Received Received - Intake

SurrealDB JavaScript Execution Time Limit Bypass

Vulnerability report for CVE-2025-71396, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulnCheck

Description

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 does not enforce a default execution-time limit on embedded JavaScript scripting functions when the scripting capability is explicitly enabled (via --allow-scripting or --allow-all). An authenticated attacker can submit long-running JavaScript functions to exhaust server resources and cause a denial of service. Scripting is disabled by default.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
surrealdb surrealdb to 2.0.5 (exc)
surrealdb surrealdb to 2.1.5 (exc)
surrealdb surrealdb to 2.2.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects SurrealDB versions before 2.2.2, 2.1.5, and 2.0.5. When scripting is enabled via --allow-scripting or --allow-all flags, an authenticated attacker can submit long-running JavaScript functions to consume excessive server resources, causing a denial of service.

Detection Guidance

Check if SurrealDB is running with scripting enabled by inspecting command-line arguments or environment variables. Look for --allow-scripting, --allow-all, SURREAL_CAPS_ALLOW_SCRIPT=true, or SURREAL_CAPS_ALLOW_ALL=true in process listings or configuration files.

Impact Analysis

An attacker could exploit this to exhaust server resources, leading to system outages or degraded performance. The impact is limited to systems where scripting is explicitly enabled, as it is disabled by default.

Compliance Impact

This vulnerability primarily causes resource exhaustion leading to denial of service, which may indirectly impact compliance by disrupting data availability. However, there is no direct evidence in the provided context that this specific issue violates GDPR, HIPAA, or similar standards.

Mitigation Strategies

Upgrade SurrealDB to version 2.0.5, 2.1.5, or 2.2.2 or later. Alternatively, disable scripting using --deny-scripting or set SURREAL_CAPS_DENY_SCRIPT=true. Configure a timeout via SURREAL_SCRIPTING_MAX_TIME_LIMIT if upgrading is not possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71396. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart