CVE-2025-71397
Received Received - Intake

Authenticated Function Loop Exhaustion in SurrealDB

Vulnerability report for CVE-2025-71397, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulnCheck

Description

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 allows authenticated users with OWNER or EDITOR permissions (at the root, namespace, or database level) to define custom database functions via DEFINE FUNCTION using nested FOR loops. Although a single loop's iteration count is constrained, nesting multiple loops (e.g., each with 1,000,000 iterations) is not, so an attacker can execute a function that consumes all server CPU time. Configured timeouts do not stop the execution, rendering the server unresponsive to other queries and connections until it is manually restarted.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
surrealdb surrealdb to 2.0.5 (exc)
surrealdb surrealdb to 2.1.5 (exc)
surrealdb surrealdb to 2.2.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-71397 is a Denial of Service (DoS) vulnerability in SurrealDB affecting versions before 2.0.5, 2.1.5, and 2.2.2. Authenticated users with OWNER or EDITOR permissions can create custom functions using nested FOR loops with large iteration counts (e.g., 1,000,000 each). Executing these functions exhausts CPU resources, making the server unresponsive to other queries and connections until manually restarted.

Detection Guidance

Monitor SurrealDB server CPU usage spikes and unresponsive queries. Check for custom functions defined by users with OWNER or EDITOR permissions using nested FOR loops with high iteration counts. Review server logs for manual restart events or unusual function definitions.

Impact Analysis

This vulnerability can cause your SurrealDB server to become completely unresponsive, halting all database operations and connections. It requires manual intervention to restart the server, leading to downtime and potential data access issues. The impact is limited to authenticated users with specific permissions who can define custom functions.

Compliance Impact

This vulnerability could impact compliance with GDPR and HIPAA by causing prolonged server downtime due to CPU exhaustion, potentially leading to unauthorized data access or loss of availability for critical systems. GDPR requires timely data access and protection, while HIPAA mandates continuous availability of healthcare systems. The DoS condition may violate these requirements by disrupting service.

Mitigation Strategies

Upgrade SurrealDB to versions 2.0.5, 2.1.5, or 2.2.2 or later. Disable custom functions via command-line options or environment variables if immediate upgrade is not possible. Restrict OWNER and EDITOR permissions to trusted users only.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71397. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart