SurrealDB: Crafting malicious LIVE queries writes to the database, resulting in DoS, without permission to the table required
📋 Description
A LIVE query whose WHERE clause evaluates to an error caused the source data modifier (the user creating, updating, or deleting a record on the watched table) to fail instead. Calling any arbitrary SurrealQL function with a typed parameter and passing a value of the wrong type — for example LIVE SELECT * FROM t WHERE string::trim(deny) — triggered an evaluation error inside the LIVE notification path. That error then propagated through to the triggering write, rolling back the attempted change.
While such a LIVE query was registered, all CREATE, UPDATE, and DELETE operations on the watched table failed — including those issued by a root user — for as long as the registration remained active. Registering the LIVE required select permission on the table; no other permission on the table was needed.
Impact
An authenticated user with select permission on a table can prevent all CREATE, UPDATE, and DELETE operations on that table — by any other user, up to and including root — for the lifetime of a single registered LIVE query. Service is restored when the LIVE query is killed or the session that registered it ends.
Patches
A patch has been introduced that:
- Decouples LIVE query evaluation errors from the source transaction — when
lq_checkreturns an error during the LIVE notification path, the error is now reported to the LIVE subscriber as anAction::Errornotification and the LIVE processing path returnsOk(()). The triggering write proceeds normally. - Defers the error notification until after the permission check — the
Action::Errornotification is only delivered after the LIVE subscription'sPERMISSIONSclause has been evaluated, so unauthorised subscribers do not learn even that an error occurred (closing an information-disclosure side channel introduced by the first part of the fix).
- Versions 3.1.0 and later are not affected by this issue.
Workarounds
Users unable to upgrade should restrict the ability of untrusted users to register LIVE queries by removing the select permission on tables they want to keep writeable, or by gating LIVE registration at the application layer.
🎯 Affected products1
- rust/surrealdb:< 3.1.0