GHSA-q729-696q-g9pqHighCVSS 7.5Disclosed before NVD

SurrealDB has Denial of Service in JSON parser due to nested objects

Published
July 1, 2026
Last Modified
July 1, 2026

📋 Description

The SurrealDB value and JSON parser did not enforce the configured recursion depth limit when parsing nested {, [, or ( tokens. The expression parser already enforced the limit for these tokens; the value/JSON parser omitted it. An unauthenticated attacker could send a deeply nested JSON payload to the WebSocket /rpc endpoint and exhaust server memory, crashing the process.

This is an incomplete fix for GHSA-6r8p-hpg7-825g, which addressed the same class of bug in the expression parser but did not cover the value/JSON parser code path.

Impact

An unauthenticated remote attacker can crash a SurrealDB server with a single WebSocket message. No credentials or query execution privileges are required.

Patches

A patch enforces the configured recursion depth limit in parse_value and parse_json, bringing them in line with the rest of the parser.

  • Versions 3.1.0 and later are not affected by this issue.

Workarounds

Restrict network access to the WebSocket /rpc endpoint to trusted clients.

🎯 Affected products1

  • rust/surrealdb:< 3.1.0

🔗 References (3)